VeriFone Secure Retail Payments

Payment Security Web Portal Brought to You by VeriFone

News

Please note: this is our news ARCHIVE. Click here to access our most recent news articles.

November 2009

Restaurants file lawsuit against payment terminal vendor after identity theft - www.securecomputing.net.au - 11/30/09 - "Lack of PCI DSS compliance proves troublesome. A group of US restaurants have filed a class action lawsuit against a point of sale vendor after customers had their identities stolen by using uncompliant terminals. According to a report on Finextra, seven restaurants in Louisiana and Mississippi are seeking millions of dollars in damages from vendor Radiant and its distributor Computer World after hundreds of their customers had their identities stolen as a result of payments terminals that were not PCI DSS compliant."
Restaurants Sue Vendor for Unsecured Card Processor - www.wired.com - 11/30/09 - "Seven restaurants have sued the maker of a bank card-processing system for failing to secure the product from a Romanian hacker who breached their systems. The restaurants, located in Louisiana and Mississippi, filed a class-action suit against Georgia-based Radiant Systems for producing a point-of-sale (POS) system that they say was not compliant with payment card industry security standards and resulted in an undetermined number of customers having their debit and credit card numbers stolen."
PCI Human Train Wreck Coming Next Year For Level 2s - www.storefrontbacktalk.com - 11/30/09 - "Many Level 2 merchants are just now realizing that their PCI world has changed. Under rules announced this summer, Level 2 MasterCard merchants—like their Level 1 brethren—will require an onsite assessment by a QSA starting in 2010. What’s the difference between self-assessing and an onsite review? Actually, there are 525 differences. But what I worry about most is a fourth quarter 2010 PCI train wreck as the new rules collide with human frailty and the calendar."
Are Your Employees Writing Down Credit Card Numbers? - www.qsrmagazine.com - 11/30/09 - "An independent audit of 100 of the top restaurant chains in the U.S. revealed that 80 percent of those chains have at least one unit putting customers' identities at risk of theft. GoMobo.com, an online and mobile transactions firm, recently released its PCI Risk Rating Study, which found that a number of restaurants are in violation of PCI regulations. The violations involve employees who write down credit card numbers given to them from customers ordering over the phone."
ATM cards compromised in South Carroll - www.carrollcountytimes.com - 11/26/09 - "Maryland State Police are encouraging those who used a South Carroll automated teller machine to inspect their bank accounts after they discovered a skimming device at the Bank of America branch at 6400 Ridge Road in Sykesville, according to a press release."
Carpark scam keeps banks busy - www.nzherald.co.nz - 11/26/09 - "More than 100,000 credit cards may be replaced as a result of thieves hacking into payment machines at the Downtown carpark in central Auckland. Auckland IT consultant Steven Ellis yesterday said service desk staff at ASB Bank told him that his new credit card was one of more than 100,000 Mastercard and Visa cards banks were replacing because of the scam."
Banks Working Closely Together To Combat Credit Card Fraud - www.voxy.co.nz - 11/25/09 - "The New Zealand Bankers' Association says credit and debit card holders should be reassured by the work done by banks and card schemes to protect them from fraud on their card accounts. Banks are currently re-issuing credit and scheme debit cards used at the Downtown Carpark in Auckland, after it was identified as a common point of use for attempts at fraud on some card accounts. The merchant has also removed the automated credit card facilities at the carpark as a precaution and pending the outcome of an investigation."
The End of the World - www.americanbanker.com - 11/25/09 - "Heartland Payment System's CEO Bob Carr has become the payment industry's most vocal security evangelist, on the speakers' circuit predicting that 2010 will be the year that the payments chain becomes significantly more secure. "I believe the world is going to be changed in the next year with deployed technology," Carr says. "We're going to see the security of the payments industry become markedly better in the next few years.""
Credit Card Information Stolen From Downtown Restaurant - www2.nbc4i.com - 11/25/09 - "Columbus police are alerting patrons of a downtown restaurant that their credit card numbers may have been compromised. According to police, the computer system at Tip Top Kitchen on Gay Street was hacked and many credit card numbers were used fraudulently. The managing partner, Tim Lessner, said he was notified about a month ago that the credit and debit card system was hacked into and account numbers were stolen from people who had used their credit cards at the restaurant between July and August."
Banks Working Closely Together To Combat Credit Card Fraud - www.voxy.co.nz - 11/25/09 - "The New Zealand Bankers' Association says credit and debit card holders should be reassured by the work done by banks and card schemes to protect them from fraud on their card accounts. Banks are currently re-issuing credit and scheme debit cards used at the Downtown Carpark in Auckland, after it was identified as a common point of use for attempts at fraud on some card accounts. The merchant has also removed the automated credit card facilities at the carpark as a precaution and pending the outcome of an investigation."
Cyber breaches are a closely kept secret - www.reuters.com - 11/24/09 - "Cybercriminals regularly breach computer security systems, stealing millions of dollars and credit card numbers in cases that companies keep secret, said the FBI's top Internet crimes investigator on Tuesday. For every break-in like the highly publicized attacks against TJX Co (TJX.N) and Heartland Payment (HPY.N), where hacker rings stole millions of credit card numbers, there are many more that never make the news."
Card skimming scam takes on new twist - www.wthr.com - 11/24/09 - "A new twist on an old scheme is making the rounds. Criminals are using credit card skimming machines to steal your credit card information. The skimmers are typically attached to the slot where you put your debit or credit card. The machine reads and stores the information, giving the criminal full access to your money. The devices blend in, making it hard to tell there is anything different about the card reader."
Card skimming laws strengthened - www.smh.com.au - 11/24/09 - "New laws targeting criminals who skim credit and debit cards will be introduced in Queensland to target the growing problem of identity theft. Attorney-General Cameron Dick said it was already an offence to obtain card details by skimming an ATM or EFTPOS machine with a device but new measures would strengthen those laws. Under the amendments, possessing card-skimming devices - such as laptops, mobile phones, cameras or Bluetooth and other technology - for the purpose of obtaining or dealing with identification information would attract a maximum three-year jail term."
Access control strategies for PCI and other security operations - www.networkworld.com - 11/23/09 - "It's late November, and the holiday shopping season is well underway. That means it's also the season for increased hacking and data thefts. So many shoppers making electronic payments with their credit and debit cards is too tempting of a situation for digital thieves to ignore. Attacks have become systematized, and are so aggressive that every organization that handles cardholder information must take extraordinary care to protect that data from theft."
Restaurant patron catches credit card skimmer in the act - www.creditcardoffers.com - 11/23/09 - "A sharp-eyed customer in an unidentified Rockingham restaurant noticed something odd in the waiter’s hand after handing over his credit card. When police arrived, they seized a miniature skimming device, purchased over the Internet for $500. Due to the customer’s quickness, the waiter had been unsuccessful in actually skimming the credit card."
Scammer uses skimmer to steal credit card info - www.wishtv.com - 11/23/09 - "Police are searching for at least one suspect who they said bought thousands of dollars worth of electronics with stolen credit card information. Lisa Flowers, of Carmel, had her information stolen. Flowers thought she was swiping her card to get gas, just like any other time. Little did she know, someone was stealing her information. "I had heard of it before, but I never thought it would happen to me," said Flowers. "Very violated, a little frightened. I thought if it could happen to me, it could happen to anyone," said Flowers."
Hancock Fabrics Linked to Fraud in 3 States - www.bankinfosecurity.com - 11/23/09 - "Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that police say are tied to transactions conducted with the Hancock Fabrics retail chain. In California, Napa Police Department spokesman Brian McGovern says 60 residents reported their cards being used by thieves. In one case, a Napa resident reported $840 in cash withdrawals. The Hancock Fabrics store on Imola Avenue in Napa was the "common thread" among the numerous people who reported credit and debit card fraud. McGovern says the store had recently replaced its point-of-sale machines."
Police: Skimmers Take Unsuspecting Customers' Cash - www.theindychannel.com - 11/23/09 - "Several suspected ATM skimming incidents have been reported in recent weeks in communities north of Indianapolis, prompting police to release a surveillance picture of one man believed to be involved. Carmel police Detective Brad Hedrick said the man pictured recently used a victim's credit card to buy electronics at Fry's Electronics on 96th Street in Fishers and a Best Buy store on Michigan Road in Carmel. Hedrick said he thinks the victim's credit card may have been swiped and reproduced through a skimmer at an area gas station and that similar crimes have occurred recently in Fishers, Westfield, Noblesville, Lawrence and Indianapolis."
Bank Card Skimming Victim Depleted At Pump - www.thepittsburghchannel.com - 11/22/09 - "As the busiest shopping week of the season is set to begin, a Westmoreland County mother who fell victim to theft has a warning for others who may fall victim without even knowing it. Tammy Tressler stopped at a gas station in a hurry on Thursday. She had her baby in the car and had to get home. She swiped her debit card in the gas tank machine and went about her way."
New state rules seek to prevent theft of customer information - www.patriotledger.com - 11/21/09 - "Five years ago, identity thieves intercepted wireless transmissions from two Marshalls stores in Miami, opening the floodgates for the biggest data breach in U.S. history. Now Massachusetts businesses are gearing up to comply with new state regulations designed to prevent a repeat of the breach at TJX Cos., the parent company of the Marshalls and T.J. Maxx chains. The regulations, which take effect March 1, will make customers’ and employees’ personal information harder for hackers to access."
So Much Data, So Little Encryption - www.informationweek.com - 11/21/09 - "If you go solely by top-level stats on encryption use, you'll come away feeling pretty secure--86% of the the 499 business technology professionals responding to our InformationWeek Analytics State of Encryption Survey employ encryption of some type. But that finding doesn't begin to tell the real story. Only 14% of respondents say encryption is pervasive in their organizations. Database table-level encryption is in use by just 26%, while just 38% encrypt data on mobile devices."
Windsor police nab Quebec pair for debit card scam - www.windsorstar.com - 11/20/09 - "Two Quebec residents have been arrested by Windsor police in connection with a high-tech point-of-sale PIN pad fraud scheme that financial crime detectives have been investigating since the spring. Police say the suspects — a man and a woman — were first captured on a surveillance camera on Tuesday evening. The pair were allegedly attempting to swap a PIN pad at a Burger King on Dougall Avenue with a decoy. An alert employee noticed them and the pair fled before police arrived."
Thousands victimized by debit card scam - www.ctvbc.ctv.ca - 11/20/09 - "Thousands of people across Metro Vancouver have had their bank accounts drained by a debit card scam in recent weeks. Criminals placed phoney readers in place of legitimate devices, skimming tens of thousands of dollars. RCMP officials said Friday they don't know if they're dealing with one organized crime group or multiple groups. "It's throughout the Lower Mainland," said RCMP spokesman Sgt. Peter Thiessen."
Debit card skimming heats up - www.bclocalnews.com - 11/19/09 - "Police are grappling with a major spike in debit card skimming activity in the Lower Mainland."
Massive B.C. fraud hits debit-card users - www.cbc.ca - 11/19/09 - "There has been a massive debit-card fraud in B.C.'s Lower Mainland involving thousands of cards and possibly millions of dollars, CBC News has learned. The fraud was committed through compromised debit machines at stores in the communities of Ladner, Delta, Langley, Surrey and possibly Vancouver. It appears debit-card pads were replaced with pads equipped with devices that transmitted PIN numbers and transaction information to a criminal organization."
Banks warn of increase in card 'skimming' (New Zealand) - www.legalbrief.co.za - 11/19/09 - "SA's banks have warned consumers of a surge in credit and debit card 'skimming' this festive season after a cashier at a retail chain in Durban was arrested on suspicion of doing so."
Skimming device attached to North Naples ATM - www.nbc-2.com - 11/19/09 - "Deputies are trying to identify a man they say may be involved in the placement of a skimming device on a North Naples ATM. Investigators say the man, pictured below, installed the skimmer at the SunTrust at 2420 Vanderbilt Beach Road on November 14th. Several ATM customers report their information was then used by a thief on the east coast of Florida."
Store cashier caught 'skimming' in South Africa - www.thepost.co.za - 11/18/09 - "South Africa's banks have warned consumers of a surge in credit and debit card "skimming" in the festive season after the arrest of a Durban retail chain cashier suspected of doing so. The South African Banking Risk Information Centre (Sabric) said shoppers should be aware of who was swiping their debit or credit cards, and be as alert with their cards as they were with cash. This caution to consumers was prompted by the recent arrest of a cashier at Game at the Gateway Theatre of Shopping after a store manager swooped on him when a customer reported his suspicion."
Credit card security breach fear in Europe - news.bbc.co.uk - 11/18/09 - "Reports are being investigated of a major credit card scam in Spain. Anyone who used a Visa or Mastercard credit card when in Spain may have had their card data compromised. In Germany, as many as 100,000 cards are reportedly being recalled. UK customers will be contacted directly if they are thought to be at risk."
Massive credit card fraud in Europe exposed - www.dw-world.de - 11/18/09 - "Concerns about data privacy have led a number of banks to replace thousands of credit cards. MasterCard and Visa uncovered the security breach after data from a Spanish partner company was stolen by thieves. Thousands of credit card holders have been told to hand back their cards after fraudsters in Spain illegally obtained information about their accounts."
U.K. Prepares Heavier Hammer For Data Breaches - www.storefrontbacktalk.com - 11/18/09 - "Alarmed about an “unacceptable” level of data loss and theft during the past year, the British Government is proposing fines of as much as 500,000 pounds (about US$841,000) for retailers that commit “serious breaches” of the nation’s data protection regulations. “This reflects the importance that government places on safeguarding personal data effectively and processing it responsibly and lawfully,” said the U.K. Ministry of Justice."
Merchants warned to protect their pin pads - www.bclocalnews.com - 11/17/09 - "Police are grappling with a major spike in debit card skimming activity in the Lower Mainland. Fraudsters have stepped up their efforts to illegally harvest card data and passwords, forge fake cards and then suck money out of victims' bank accounts, according to Sgt. Tony Farahbakhchian, the RCMP's Pacific region counterfeit coordinator. "The increase is significant," he said, but added he doesn't have precise numbers of banking customers affected."
'Skimmer' used to steal from bank ATM - www.northjersey.com - 11/18/09 - "A device installed in an automated teller machine in the lobby of a Clifton Avenue bank was used to steal "a significant amount of money" from bank customers, police said. Police are seeking two men they suspect planted the data-reading devices, or "skimmers," inside the teller machines. A skimmer device inserted into an ATM in the lobby of Bank of America at 1045 Clifton Ave. enabled someone to steal money from 65 customer accounts between Oct. 28 and Nov. 1."
VeriFone Announces VeriShield Protect for EMV Smart Cards - pindebit.blogspot.com - 11/17/09 - "VeriFone Holdings, Inc. (NYSE: PAY), today announced that its VeriShield Protect end-to-end encryption solution for card payment security will be available for use with the EMV smart card standard and will also support contactless payments. First introduced in the U.S. to help merchants and acquirers secure cardholder information and comply with PCI data security requirements, VeriShield Protect is now being expanded for use worldwide in support of all card payment types."
Ottawa firm convicted of credit and debit card fraud - www.ottawacitizen.com - 11/16/09 - "The owners and an employee of a Bank Street company that masqueraded as a legitimate business but really specialized in credit and debit card fraud were part of a criminal organization, an Ottawa judge found in a precedent-setting decision Monday. Ontario Superior Court Justice Robert Smith found Robert Cattral, 39, Catherine Margaret Brunet, 39, and Henry Charles Beauchamp, 41, all guilty of participating or contributing to the activities of Canadian Barcode and Plastic Card Supply Inc., a criminal organization the judge found bought and sold devices used to forge credit and debit cards between January 2002 and July 2004."
Debit card skimming heats up - www.bclocalnews.com - 11/13/09 - "Police are grappling with a major spike in debit card skimming activity in the Lower Mainland. Fraudsters have stepped up their efforts to illegally harvest card data and passwords, forge fake cards and then suck money out of victims' bank accounts, according to Sgt. Tony Farahbakhchian, the RCMP's Pacific region counterfeit coordinator. "The increase is significant," he said, but added he doesn't have precise numbers of banking customers affected."
Revealed - the machines behind the EFTPOS scam - www.watoday.com - 11/12/09 - "Targeted.. the Ingenico PX328, the EFTPOS machine at the centre of the WA EFTPOS skimming scam. The skimming scam that has stripped almost $5 million from WA bank accounts was due to old EFTPOS machines easily hacked, a senior industry insider says. The impact of the scam has spread nationally, with two of the nation's best-known brands taking steps to upgrade their EFTPOS machines in its wake."
RBS WorldPay: 8 Hackers Indicted in $9 Million ATM Theft - www.bankinfosecurity.com - 11/12/09 - "Eight members a hacker ring that made off with more than $9 million in a massive ATM fraud scheme last November were indicted in an Atlanta, GA courtroom this week. The eight men, all from eastern European counties, are accused of hacking into a computer system at RBS WorldPay, the U.S. payment-processing division of Royal Bank of Scotland Group. They then allegedly cloned prepaid ATM cards, which they used to draw out cash from 2,100 ATMs in 280 cities around the world within a couple of hours."
Court Ruling Jeopardizes Credit Card Privacy Law - www.californiaprogressreport.com - 11/12/09 - "The California Legislature long ago recognized the dangers associated with collecting and maintaining consumers’ personal identification information, finding that the practice put the physical safety of consumers at risk and jeopardized consumers’ financial security due to identify theft and credit card fraud. In response, the Legislature enacted an amendment to the Song Beverly Credit Card Act in 1990 to protect privacy rights guaranteed to consumers by Article 1, Section 1 of the California Constitution."
Virus and Malware Prevention Is an Ongoing Battle - www.govtech.com - 11/11/09 - "You don't have to look hard to find examples of public and private organizations that have been hacked by viruses and harmful worms - a quick Internet search will turn up plenty. The Charlotte Observer in North Carolina reported on Sept. 25, 2009, that 236,000 records at the University of North Carolina at Chapel Hill were compromised by virus activity. The data was from the Carolina Mammography Registry and was being used for a university research project. The intrusion was detected in July, but may have occurred in 2007 and gone undetected for years."
Hackers Indicted in Widespread ATM Heist - online.wsj.com - 11/11/09 - "The U.S. Justice Department indicted eight Russian and Eastern European computer hackers, alleging they were part of a crime ring that allegedly broke into ATMs in hundreds of cities world-wide and stole $9 million in a matter of hours."
New police powers against card skimmers (Australia) - www.allvoices.com - 11/11/09 - "NSW Police say new laws will allow them to crack down on bank card skimming. Legislation announced on Wednesday will create three new offences in an attempt to stop the selling of personal information. Trafficking in identity information will attract a maximum 10-year jail term. Possessing such information with intent to commit a crime will carry a maximum seven years, while possession of card skimmers and other devices will have a maximum three year term."
PCI: Is Your Institution Compliant? - www.bankinfosecurity.com - 11/11/09 - "Since the Heartland data breach was announced in January, there's been no shortage of discussion about the Payment Card Industry Data Security Standard (PCI DSS) and its requirements of merchants and payments processors. But what about financial institutions? Banks and credit unions store large amounts of cardholder data, but often show little awareness of PCI requirements, say security experts, including the Qualified Security Assessors (QSA) who test for PCI compliance."
Falmouth card cloning warning - www.falmouthpacket.co.uk - 11/11/09 - " A Falmouth man has warned others to keep an eye out for card cloning devices on cash machines after falling victim twice in one month. The man, who does not want to be named after fears criminals still have his financial information, says he thinks the cloners struck in Falmouth or Penryn. "
U.S. Takes Down $9 Million RBS WorldPay Hacking Ring - www.threatpost.com - 11/10/09 - "U.S. and international prosecutors have taken down a criminal ring that they allege was responsible for an ATM scam last year that stole about $9 million from RBS WorldPay. The criminals were able to evade the company's encryption system used on payroll debit cards and withdraw money from ATMs in 280 cities around the world."
UPDATE: Debit scam hits Langley - www.bclocalnews.com - 11/10/09 - "Joan Pearce received a call on Monday morning from her bank informing her that her debit card may have been compromised. Her bank asked her to come in to get a new card. When she arrived at the Scotiabank on 56 Avenue, she wasn’t the only one they had called. “There was quite a lineup of us getting new cards,” she said."
U.S. Alleges $9 Million Debit-Card Hacking Ring - online.wsj.com - 11/10/09 - "Federal prosecutors alleged that members of an elaborate hacking ring broke into debit-card systems and stole $9 million from automated teller machines in hundreds of cities world-wide. Prosecutors in Atlanta Tuesday announced indictments against eight members of the alleged ring, from eastern European countries, in what is believed to be among the most brazen and damaging electronic bank heists to date."
International Effort Defeats Major Hacking Ring - atlanta.fbi.gov - 11/10/09 - "VIKTOR PLESHCHUK, 28, of St. Petersburg, Russia; SERGEI TŠURIKOV, 25, of Tallinn, Estonia; and OLEG COVELIN, 28, of Chisinau, Moldova, along with an unidentified individual, have been indicted by a federal grand jury on charges of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, and aggravated identity theft. IGOR GRUDIJEV, 31, RONALD TSOI, 31, EVELIN TSOI, 20, and MIHHAIL JEVGENOV, 33, each of Tallinn, Estonia, have been indicted by a federal grand jury on charges of access device fraud."
Crook admits to credit card expertise - www.thesudburystar.com - 11/07/09 - "All of the equipment necessary to manufacture and forge credit cards -- from embossing machines to foil printers and even blank cards -- were found in a Sudbury motel room by city police June 22. They also found Douglas Birney, 29, and Joey Alonso, 30, in the room. Friday, in Sudbury court, Ontario court Justice William Fitzgerald found both men guilty of several charges related to forging credit cards."
600 Potentially Scammed By ATM Skimmers - www.wsmv.com - 11/07/09 - "Carol Stephenson is among more than 600 potential victims in the Nashville area who used an ATM machine and unknowingly handed over all her information to thieves. "It's unfair," she said. "You feel like you are invaded a little bit with your privacy." Police said 60 people like Stephenson had between $100 and $5,000 taken from their accounts."
Domestic disturbance call turns into fraud bust in PoCo for Coquitlam RCMP - www.bclocalnews.com - 11/06/09 - "A Port Coquitlam woman faces a number of charges and a man is wanted by police after a domestic violence call turned into a fraud factory bust last week. According to Coquitlam RCMP, police responded to a possible domestic dispute call just after 10 p.m. on Oct. 26 in an apartment in the 2300-block of Shaughnessy Street in PoCo. While Mounties were inside talking to a woman, the officers noticed fraud-related items."
Video: Raid on Romanian Bank Card Skimming Ring - www.wired.com - 11/06/09 - "Police in Romania this week swooped in on 19 members of an alleged international credit and debit card skimming ring that’s been active in Switzerland, Italy, France, and the U.S., according to local reports. Romania’s national Directorate for Countering Organized Crime staged 23 coordinated raids Tuesday, most of them in the city of Craiova, according to the Gazeta de Sud. The police found fake ATM components, card readers, five luxury cars, lots of cash, 100 cloned cards, documents showing wire transfers, and at least one handgun."
Federal data-protection law inches forward - www.computerworld.com - 11/05/09 - "A sweeping new bill that would implement a national standard for data protection and breach notification got a boost of support today from the Senate Judiciary Committee. The committee approved the Personal Data Privacy and Security Act of 2009 (S.1490) by a vote of 15-5. The bill is now headed to the full Senate for consideration. If it becomes law, the bill, which was introduced by Sen. Patrick Leahy (D-Vt.), would require companies and government agencies to follow specific rules for protecting sensitive and personally identifiable data."
PATTAYA POLICE ARREST 2 ROMANIAN CREDIT CARD FRAUDSTERS - www.pattayadailynews.com - 11/05/09 - "Two Romanian citizens have been arrested at a popular hotel in Pattaya in relation to a credit card skimming and duplication scam recently. Pattaya, 5th of November 2009 (PDN): Allegedly two Romanian born Tourists have been arrested in Pattaya at the "DC Hill Hotel" whilst in possession of two stolen ATM cards and some high tech skimming equipment, believed to have been used to read credit and bank account numbers from ATM’s across Pattaya for use in a card duplication scam."
Card skimming a growing problem (Australia) - www.abc.net.au - 11/05/09 - "Card skimming is being reported around the country with disturbing frequency. The victims find that someone else has used their credit cards or debit cards, sometimes in another city or even another country. The latest example of card skimming has stung residents in Wollongong's northern suburbs. Police say about 100 people have lost money and one victim says he has lost about $8,000."
Credit Card Security Rules Evolving Faster Than Businesses Can Keep Up - www.boston.com - 11/05/09 - "A flurry of new regulations, guidelines and clarifications designed to improve credit card security at the point of purchase has retailers and other organizations that accept credit card payments - especially their internal audit, information technology and information security staff - scrambling. With three new pieces of guidance on the docket for Payment Card Industry (PCI) compliance, as well as larger fines for non-compliance, these companies face not only external pressures to beat deadlines but also internal pressures to meet requirements in a strategic and cost-effective manner."
Federal data-protection law inches forward - www.computerworld.com - 11/05/09 - "A sweeping new bill that would implement a national standard for data protection and breach notification got a boost of support today from the Senate Judiciary Committee. The committee approved the Personal Data Privacy and Security Act of 2009 (S.1490) by a vote of 15-5. The bill is now headed to the full Senate for consideration. If it becomes law, the bill, which was introduced by Sen. Patrick Leahy (D-Vt.), would require companies and government agencies to follow specific rules for protecting sensitive and personally identifiable data."
Northfield police say theft device found on ATM - www.chicagotribune.com - 11/04/09 - "Northfield police are warning people who used the drive-up ATM at Chase Bank, 400 Central Road, Oct. 9 to 11 to check their bank statements, because a device that can collect debit card information was placed on the machine. In an e-mail alert to the community this week, police said a "skimmer" was placed on the ATM. It covers the normal card reader and looks authentic."
Card skimmers steal thousands from accounts - www.illawarramercury.com.au - 11/03/09 - "Thousands of dollars have been skimmed from the bank accounts of northern suburbs residents over the past two days. Customers of the Commonwealth Bank, St George Bank and CUA are among those hit by the fraudsters. Card skimming involves information being illegally copied from the magnetic strip of a credit or debit card. Once the card has been skimmed, a fake card with the victim's details is created to carry out fraudulent transactions."
Police ask for help identifying suspects in Abbotsford ATM fraud - www.theprovince.com - 11/03/09 - "Abbotsford police are asking for help identifying two men suspected in multiple ATM and bank-card frauds. On Oct. 14, say police, two men were recorded on surveillance video placing a pinhole-camera canopy and a magnetic-strip skimmer on an ATM at an Abbotsford business. Two days later, a man reported to police that the debit card he'd used there had been compromised and $3,000 had been taken from his account."
Card skimmers targeting fast food restaurants steal $4 million in Australia - www.securityinfowatch.com - 11/03/09 - "Police in Perth say a card skimming scam that began in McDonalds fast food restaurants has netted thieves more than $4-million. Police are urging people who have purchased food from a McDonalds store in the past couple of months to have the PIN on their bank card changed. Detective Senior Sergeant Don Heise says several people had tens of thousands of dollars stolen from their bank accounts at the weekend."
Visa Australia kills signatures by 2013 - www.zdnet.com.au - 11/02/09 - "The move, instigated to reduce card fraud, involves working with financial institutions and retailers to upgrade over 14 million visa cards, half a million point of sale terminals, and thousands of ATMs. From January 2010 all new Visa cards will feature smart chips, while debit and reloadable prepaid cards will be updated from January 2011. Currently around 37 per cent of Australian Visa cards are chip-enabled."
Javelin Research does not expect US to adopt Chip & PIN - Transaction Trends Magazine - 11/09 - "While most business markets are migrating to some type of EMV chip-based card system, analysts at Javelin Strategy & Research do not expect the US to follow suit, citing an already robust magnetic stripe infrastructure and escalated implementation costs as primary barriers to adoption of this global trend."
The Last Refuge of Scoundrels - Digital Transactions Magazine - 11/09 - "The good news is that the once shadowy world of criminal sites that buy and sell stolen card and bank-account data isn't so shadowy any more. The bad news is that these bad-guy bazaars are devilishly hard to shut down."

October 2009

Verizon's New Security Offer Covers Your Apps - www.lightreading.com - 10/30/09 - "Verizon Business today is launching a new service aimed at helping enterprises continuously monitor and protect their Web-based applications from security threats and data breaches. The software-as-a-service (SaaS) offering, using WhiteHat Security's application vulnerability management SaaS platform, lets subscribers check their applications for vulnerability whenever changes are made or even on a periodic basis for safety's sake."
Nearly 500 People Fall Victim To ATM Skimming Scam - www.newschannel5.com - 10/30/09 - "A warning to the mid-state, using ATM machines could be as dangerous as giving a thief a personal debit card. Police are calling it a nationwide scam. Skimming victim Lindsey Payne has gone to the bank hundreds of times before, and she said last week was no different. Something happened during her five minute trip that has her steering clear of ATM machines."
Card skimmers targeting fast food restaurants steal $4 million in Australia - www.securityinfowatch.com - 10/30/09 - "Police in Perth say a card skimming scam that began in McDonalds fast food restaurants has netted thieves more than $4-million. Police are urging people who have purchased food from a McDonalds store in the past couple of months to have the PIN on their bank card changed. Detective Senior Sergeant Don Heise says several people had tens of thousands of dollars stolen from their bank accounts at the weekend."
European Commission mulls data breach notification law - www.theregister.co.uk - 10/28/09 - "The European Commission will consider passing new laws forcing organisations that lose personal data to go public with that loss. The Commission has until now been opposed to the creation of wide-ranging data breach notification requirements. The Commission and European Council insisted that a data breach notification in a recent Telecoms Package of reforms only applies to telecoms companies."
Card skimming device found inside gas pump - www.pattersonirrigator.com - 10/28/09 - "A credit card skimming device was found inside a card reader in a gas pump at the Union 76 gas station on Rogers Road on Wednesday, Oct. 28, after thieves wreaked havoc on Patterson residents’ bank accounts by stealing credit and debit card information, police said. The Stanislaus County Sheriff’s Department said the device — which was installed after forcing entry into the pump — was not visible from the outside, and no other information was immediately available."
Police Warn of ATM Scam - www.wztv.com - 10/28/09 - "Metro Police want you to be on alert about an ATM scam that's hit Middle Tennessee. Police say over the past several days 39 people across Nashville have reported their ATM cards were compromised. The suspects are believed to be travelers who stay in cities for 2-3 days."
Information-age arrests - www.bclocalnews.com - 10/28/09 - "“An overwhelmingly large amount of personal data” is how Mounties are describing evidence seized from an Ashcroft home as part of a major fraud bust last week. Police confirmed some of the stolen information belongs to Kamloops residents. On Wednesday, Kamloops RCMP released more information on the investigation, including putting on display a table-full of items seized from the home used in the credit-card operation."
300 Victimized By ATM Skimming, Say Police - www.wsmv.com - 10/28/09 - " Metro police said there's been a rash of ATM skimming, and they believe there are more than 300 victims. Skimming is when thieves place a piece of equipment over the ATM card slot. The device copies all of a user's information so thieves can then clone the card. There have been 39 reports just in the last week. Police said ATMs across Nashville have been hit, including machines in Brentwood and Belle Meade."
Federal, industry reps call for national standards to report data breaches - www.nextgov.com - 10/28/09 - "The Homeland Security Department should establish a national standard to encourage companies and individuals to report data breaches to federal authorities, helping them gauge the intensity of cyberattacks and investigate cybercrime, security professionals said on Wednesday. Federal agencies are required to report data breaches to the U.S. Computer Emergency Readiness Team, which is part of DHS. Reporting requirements for companies, however, vary by state."
Credit cards re-issued in Finland after data breach in Spain - www.hs.fi - 10/28/09 - "A credit card security breach has been uncovered in Spain that may involve up to tens of thousands of Finnish bank and credit cards. So far it is not known exactly how many Visa or Master Card accounts have been compromised because of the information breach. Where in Spain the hacking took place is also unclear. In Finland, the news was first reported on Tuesday by the Finnish Broadcasting Company's (YLE) main evening news bulletin."
Bank machine at Tradex compromised - www.bclocalnews.com - 10/27/09 - "A sophisticated pinhole camera designed to capture personal identification numbers was located on an ATM machine at Tradex during the West Coast Women's Show this weekend. Abbotsford Police are investigating after a woman at the exhibition centre familiar with that automatic teller machine noticed it had a newly installed metal hood over the keypad around 12:30 p.m., said Const. Ian MacDonald."
Another Credit card scam busted - www.rupeetimes.com - 10/27/09 - "The Chennai Police on Friday claimed that it had arrested a Srilankan Tamil, mastermind behind a major credit card scam. The racket was involved in cloning credit cards using a skimmer, an embossing machine and other equipment. The Police arrested HariKumar on October 15 when he tried to buy things using a fake credit card in Perambur."
'Smart' debit cards will stop skimming - www.winnipegfreepress.com - 10/27/09 - "DEBIT-card skimming will soon be a crime of the past if Canada's financial institutions have their way.That's because banks and credit unions are in process of approving and, in some cases, rolling out debit "smart" cards embedded with small computer chips. The chips are replacing the 30-year-old magnetic-stripe technology, which is outdated and all-too-susceptible to card skimmers, who can copy the stripe's data and make duplicate cards, often right under their victims' noses. This kind of fraud cost Canadian financial institutions more than $100 million last year."
Chase Paymentech, VeriFone and Semtek Join Forces to Offer End-to-End Encryption Solution - www.businesswire.com - 10/27/09 - "Chase Paymentech, a leading merchant acquirer and payment processor, announces a joint initiative with VeriFone Holdings, Inc. (NYSE:PAY), and Semtek Corporation to provide end-to-end encryption technologies for merchants to combat threats to security. The companies will work together to market and distribute VeriFone’s VeriShield Protect solution to the Chase Paymentech base of retail merchants."
Encryption & Key Management Benchmark Survey - www.thalesgroup.com - 10/27/09 - "Need to know how to best incorporate encryption into your compliance planning? Attend this webinar for a summary of what more than 650 IT managers worldwide had to say in the 2009 Encryption and Key Management Benchmark Report. Making the right decisions with your data protection budget has never been more important."
Judge says TD Ameritrade's proposed security fixes not enough - www.thestandard.com - 10/27/09 - "A federal judge's rejection of a proposed settlement by TD Ameritrade Inc. in a data breach lawsuit marks the second time in recent months that a court has weighed in on what it considers to be basic security standards for protecting data. U.S. District Court Judge Vaughn Walker in San Francisco yesterday denied final approval of a settlement that had been proposed by TD Ameritrade in May to settle claims stemming from a 2007 breach that exposed more than 6 million customer records."
NSA to build secretive data center in Utah - www.securityinfowatch.com - 10/27/09 - "An intelligence official says the National Security Agency will build a secretive electronic data center at a National Guard camp in Utah. The deputy director for the Office of National Intelligence for Collection, Glenn Gaffney, says the data center will be dedicated to protecting the nation from cyber-attacks."
Police investigate stolen debit card info - www.securityinfowatch.com - 10/20/09 - "Department of Homeland Security Secretary Janet Napolitano delivered an online address Tuesday regarding the agency’s efforts to secure the nation’s networks. Napolitano said that President Obama views cyber security as being paramount to national security and has charged the agency with playing a key role in helping to coordinate efforts between law enforcement and other government agencies to ensure that the proper safeguards are in place to prevent hackers and other cyber criminals from gaining access to secure data."
Heartland CIO is critical of First Data's credit card tokenization plan - www.techtarget.com - 10/26/09 - "The CIO of Heartland Payment Systems Inc. sees possible weaknesses in a new proposal brought forth by credit card processing giant First Data Corp., which uses credit card tokenization software developed by RSA, the security division of EMC. Heartland CIO Steven Elefant, who is overseeing Heartland's E3 end-to-end encryption solution, said the First Data process may pose a greater security risk, since the credit card data is being replaced with tokens early on in the process."
Visa prefers data-field encryption - www.greensheet.com - 10/26/09 - "When Visa Inc. speaks, the payments industry listens. The world's largest card brand issued a global best practices paper that advises all merchants that accept electronic payments to consider data-field encryption technology be installed on their private networks as a necessary compliment to the Payment Card Industry (PCI) Data Security Standard (DSS). In the paper, available at http://corporate.visa.com/_media/best-practices.pdf, Visa makes five main recommendations:..."
Visa prefers data-field encryption - www.greensheet.com - 10/26/09 - "A large part of what complicates compliance with the Payment Card Industry (PCI) standards for data, PIN entry device and payment application security is the frequent, though necessary, changing of the rules to keep up with evolving security threats. To make things easier, the PCI Security Standards Council (PCI SSC) established specific timelines by which upgrades must be made to payment terminals. Yet, compliance is enforced by the card brands, not the PCI SSC."
VeriFone addresses PCI enforcement confusion - www.greensheet.com - 10/26/09 - "A large part of what complicates compliance with the Payment Card Industry (PCI) standards for data, PIN entry device and payment application security is the frequent, though necessary, changing of the rules to keep up with evolving security threats. To make things easier, the PCI Security Standards Council (PCI SSC) established specific timelines by which upgrades must be made to payment terminals. Yet, compliance is enforced by the card brands, not the PCI SSC."
Swiping your cash is too easy in Australia - www.dailytelegraph.com - 10/24/09 - "WHEN Michael Souri received an answering machine message to call his bank's "security division" one evening this month, he thought he had done something wrong. But the questioning he received when he called the division back left Souri, the owner of Surry Hills Lebanese restaurant institution The Prophet, even more troubled. "Have you been to Canada and Bulgaria in the last few days?", the voice on the phone asked. Souri had been the victim of a global card-skimming fraud that raided $30,000 from his bank account in two days. His PIN and account details had been "skimmed" on a holiday to Bali two months earlier."
Data masking secures sensitive data in non-production environments - www.networkworld.com - 10/23/09 - "Last week's article covered the topic of protecting data in databases from the inside out. That is, watching every action involving data as it happens, and promptly halting improper actions. This week's article takes look at data masking, which another way to protect sensitive data, especially as it is being copied and used in the development and testing of applications."
Person of Sri Lankan origin arrested in fake credit card case - www.indopia.in - 10/23/09 - "Umesh, a Sri Lankan who grew up in Canada, was arrested based on the interrogation of Harikumar, nabbed two months back for trying to make payments to a cold storage dealer by swiping a fake credit card, the CCB said in a press release. A special team was formed to nab Umesh after Harikumar revealed he had supplied him with fake credit cards. Umesh was arrested from Porur here, the release said, adding plain cards believed to have originated from Malaysia and Canada were recovered from him."
California's Proposed Cyber-Crime Legislation Could Resurface in 2010 - www.apparelnews.net - 10/23/09 - "A recently vetoed California bill aimed at protecting consumers’ credit card information online may resurface in 2010, according to the state senator who drafted the measure. Earlier this month, Gov. Arnold Schwarzenegger vetoed SB20, written by State Sen. Joe Simitian (D–Palo Alto). It would have updated a 2002 law that required businesses to give more-detailed information to consumers when they lose consumers’ information such as credit card numbers. More than 40 other states, including Nevada and Massachusetts, have similar laws on their books."
Debit Card Fraud Store Owner Speaks - www.krdo.com - 10/23/09 - "One store that exposed thousands of Pikes Peak area customers to identity theft is speaking up about the criminal case. Cheers Liquor Mart owner Jack Backman says the problem was their internet connection and debit cards. Somehow thieves accessed customer information then bought items all over the country in customers names. Some purchases of up to $300 were made as far away as Georgia."
LCSO: Masterminds behind Circle K debit card fraud under arrest - www.tallahassee.com - 10/22/09 - "The Leon County Sheriff’s Office announced this morning that it has arrested two men who deputies believe are the masterminds behind a “sophisticated and organized criminal operation” that involved debit card skimming at two Circle K convenience stores in Tallahassee. Another man is being sought. Reginald Lions Voltaire, Junior Douger were each charged Wednesday with multiple offenses, including organized scheme to defraud, organized communications fraud and 78 counts of use of scanning device or re-encoder to defraud."
Two Arrests in Restaurant Credit Card Skimming - www.khsltv.com - 10/22/09 - "There's new information the investigation into a credit card skimming operation that started in Redding. At least 13 Redding residents had their credit card numbers stolen at a Redding restaurant. A joint investigation by Redding Police and the Secret Service has led to the arrest of two men near Las Vegas. The alleged scam started back in February. At least 13 victims had their credit card information skimmed by a former worker at the New China Restaurant on Eureka Way in Redding. Authorities say a temporary worker used a hand-held device to steal customer credit card information in February."
Winnipeg police are investing debit-card skimming operation - ca.news.yahoo.com - 10/22/09 - "Winnipeg police are investing a debit-card skimming operation that occurred at a number of businesses across the city. The initial investigation has revealed that PIN pads were compromised by the suspects and information belonging to customers paying for their purchases by debit was collected, police said in a release issued Wednesday."
Millions stolen in credit card fraud surge (Australia) - www.ninemsn.com.au - 10/22/09 - "A surge in credit card fraud at ATMs and EFTPOS facilities has seen Australians fleeced out of tens of millions of dollars in recent months. A leading fraud expert says Australia's outdated and insecure banking technology has made the country the target of Romanian credit card skimmers with increasingly sophisticated equipment. NSW Fraud Squad commander Col Dyson told ninemsn that gangs obtained credit card details with magnetic stripe skimmers and cameras attached to standard ATMs."
TPD, USSS and LCSO Joint Investigation Shuts Down Debit Card Skimming Operation - www.wctv.tv - 10/22/09 - "Each victim reported they were still in possession of their debit cards and the fraudulent transactions were in the form of wire transfers and ATM withdrawals. Early indications were these fraudulent transactions were “PIN” driven transactions, which meant the suspect(s) used the victim’s debit card information and Personal Identification Number to authorize the transactions."
Retail Data Breach Victim Opts To Roll Back The Tech Clock - www.storefrontbacktalk.com - 10/21/09 - "One of the longstanding problems with retail security is that the best advice for retailers comes from the experts in the field. And those people often work for the vendors that sell security products and services. Retail, therefore, has developed a culture of handling security problems by purchasing more security products to layer on top of what they already have in place. But one retail data breach victim this month took the opposite approach. The Colorado liquor store had its payment records stolen via the Internet."
ChoicePoint Fined $275K for 2008 Breach - www.bankinfosecurity.com - 10/21/09 - "October 21, 2009 - Linda McGlasson, Managing EditorData broker ChoicePoint has agreed to a stronger data security program and will pay a $275,000 fine for a breach in 2008, according to the Federal Trade Commission. The FTC says the company failed to implement a comprehensive information security program to protect consumers' personal information, as required by the agency after ChoicePoint's 2004 breach, which affected more than 160,000 U.S. consumers."
Hundreds affected by debit card skimming operation - www.winnipeg.ctv.ca - 10/21/09 - "Winnipeg police say they are investigating after hundreds of people were hit with a debit card skimming operation. Officers say the early investigation shows suspects collected information from debit pin pads used by people paying for their purchases. Suspects then took that information to make a number of fraudulent transactions in Eastern Canada."
Identity theft scheme claims at least 13 Redding victims, police say - www.redding.com - 10/21/09 - "Two Southern California men have been arrested in Nevada after they allegedly defrauded at least 13 Redding residents who had earlier used credit cards at a Eureka Way restaurant, police said today. A third suspect, who is believed to be in Southern California, is being sought, police said. Police said that Edward Liu, 26, of Alhambra and Jin Lin, 35, of Monterey Park were detained on Sept. 23 and later arrested by Henderson (Nev.) police and a financial crimes task force after repeatedly using fraudulent cards at a business."
Hydro customer info used in scam - cnews.canoe.ca - 10/21/09 - "Police are investigating after a woman got a job at Manitoba Hydro using a stolen identity and used her position to access the personal information of more than 900 customers and take out fraudulent credit cards. The employee used customers' names and other information to apply for 45 credit cards without the victims' or Manitoba Hydro's knowledge, said Glenn Schneider, a spokesman for the Crown corporation."
Converging Trends Spur Interest in Card Terminals - www.americanbanker.com - 10/20/09 - "An impending deadline, several security initiatives and the ongoing adoption of contactless cards have payment terminal companies trying to position themselves for an anticipated surge in demand for point of sale systems. Christopher Justice, Ingenico SA's president for North America, said merchants are "at the start of a refresh" cycle. The French terminal maker announced last week the first of several planned management revamps to prepare for the U.S. market's growing appetite for updated payment terminals."
Cops warn of debit card data theft - www.winnipegsun.com - 10/20/09 - "Winnipeg police have received several complaints in recent days of debit card data being stolen and used to make fraudulent purchases or withdrawals, sources say. A source said police have received dozens of complaints from people who lost $400 to $800 or more late last week or over the weekend in the debit-card skimming scam."
California Governor Delivers Surprise Data Breach Law Veto - www.storefrontbacktalk.com - 10/20/09 - "California Governor Arnold Schwarzenegger is a man of surprises, be it as a bodybuilder turned successful movie star or as a staunch Republican winning election as the governor of reliably Democratic California. This month, though, he delivered his latest surprise in the form of a veto of a key data breach bill, a bill that had already had its critics withdraw all of their opposition. Schwarzenegger’s veto (which allegedly prompted the bill to look at the governor and bellow, “I’ll be back”) is not the first time he’s tackled data breach legislation; he has already forced earlier versions to be diluted."
SKIMMING DEVICES LOCATED - www.saultstar.com - 10/20/09 - "City police discovered a skimming device, used to copy the information embedded on a debit or credit card's magnetic stripe, on a local bank machine. Two people are under arrest. Police received information Sunday about a suspicious device on a TD ATM on Capp Avenue. They located the device and shortly after checked a nearby vehicle, where they found devices used in the forfing and falsifying of credit cards and data skimmed by these devices."
Respose to Your Recent Tokenization versus End-to-End Encryption Article - www.verifone.com - 10/20/09 - "I read the recent article you published on Tokenization versus End-to-End Encryption and I think there are several errors or misconceptions that should be corrected. Perhaps some of this comes from the bias of the experts you interviewed. First the entire discussion of tokenization versus end-to-end encryption does not even make sense. This is not an either or solution, nor is it a large versus small company decision. Both tokenization and end-to-end encryption can improve the security of cardholder data and can work well together in many environments."
An Inside Look at the Secret Service’s Battle to Hobble the Hackers - www.digitaltransactions.net - 10/20/09 - "The August indictments of three individuals allegedly responsible for the theft of 130 million credit and debit card numbers in the Heartland Payment Systems Inc. data breach made headlines across the world. Yet little attention is paid to the laborious investigative work needed to track down the criminals behind these types of infiltrations into computer systems and wireless networks. In the case of Heartland, the U.S. Secret Service first came across the alleged ringleader, Albert Gonzalez, in August 2008 while investigating data breaches dating back to 2004, according to Ken Jenkins, deputy special agent in charge, U.S. Secret Service criminal investigation division."
Credit cards also involved in Cheers Liquor security breach - www.gazette.com - 10/19/09 - "A security breach in the credit-card processing system at Cheers Liquor Mart involves both credit and debit cards and likely involves customers of dozens, if not hundreds, of financial institutions nationwide, the Colorado Springs-based retailer said today. Cheers has shut down a wireless broadband system that was used to process credit-card transactions and replaced it with an older dial-up system that is more secure and difficult to hack, said James Wall, a Denver-based spokesman for Cheers."
ATM 'card skimmer' found in Largo - www.abcactionnews.com - 10/19/09 - "LARGO, FL -- Largo Police say that they found a card skimmer on a local bank's ATM. The police say that someone went to use an ATM at the Wachovia Bank at Jasper and Missouri Ave in Largo. When the person went to swipe their card, a piece fell off the machine and the person called the police. Police went to the machine and said that they found a card skimmer. They took the ATM and searched other banks in the area. No other skimming devices were found."
Malaysian link to fake credit card scam in India - www.mmail.com.my - 10/19/09 - "Chennai police in Tamil Nadu are investigating fraud credit card cases that have links with organised crime in Malaysia........"
Payroll Processor Breached Twice in One Month - www.bankinfosecurity.com - 10/19/09 - "For the second time in less than a month, New Jersey-based payroll processor PayChoice has alerted customers to a network breach. PayChoice, based in Moorestown, NJ, had to take its Online Employer site offline last Thursday for a short time after the latest security breach was discovered. While the exact cause of the breach was not revealed, the company says it has taken new precautions."
Crime gangs say Australian ATM fraud 'easy' - www.news.com.au - 10/18/09 - "ROMANIAN crime gangs are targeting Australian ATMs for card-skimming fraud due to the high withdrawal limits set by local banks. Romanian police chief Elvis Tudose said the gangs had singled out Australia because of the vulnerability of local ATMs and light sentences imposed by courts. "In Australia, your countrymen are not very prepared to face the threat from them,'' Chief Inspector Tudose said. "This is the reason they probably choose Australia."
Hancock Fabrics Credit card scams hit home - www.napavalleyregister.com - 10/18/09 - "Recently at least 50 Napa County residents became victims of credit card and debit card fraud of a sort that poses an increasing danger as more of us rely more heavily on the use of plastic in our purchases. The victims all used cards at a specific store, and soon thereafter saw their bank or credit card accounts compromised with debits and withdrawals from stores and locations they did not visit."
Debit card skimming strikes customers in Maple Ridge and Coquitlam - www.news1130.com - 10/16/09 - "MAPLE RIDGE (NEWS1130) - Hundreds of customers in Maple Ridge and Coquitlam are the latest victims of a debit card skimming scam. Ridge Meadows RCMP say even one of their employees was affected. However, police aren't saying exactly which stores were hit. A skimming scam in West Vancouver's Park Royal Shopping Mall turned up last April - compromised PIN pads were discovered at Whole Foods and Athletes World among others. Skimming was responsible for $94 million in fraud across Canada last year. Police are asking people in the Tri-Cities to check their statements for suspicious activity."
Singapore looking to improve online security - www.zdnetasia.com - 10/16/09 - "Ingo Noka, Visa's Asia-Pacific head of data security and enterprise risk management, explained that dynamic authentication uses passwords that are generated every 10 seconds. This helps ensure passwords, even when stolen, will no longer be valid for use in online transactions after a time limit, Noka said in an interview with ZDNet Asia. These passwords can be generated by a token or sent via SMS to the consumer, he added. The payment structure is similar to Internet banking transactions in Singapore, where local banks support dynamic passwords as part of the two-factor authentication process."
Fed Regulation of Private Data Mulled - www.bankinfosecurity.com - 10/16/09 - "Congress should consider enacting legislation allowing the federal government to regulate how the private sector handles and stores data to battle the increasing problem of data breaches, says the chairwoman of a House panel that has jurisdiction over cybersecurity. Rep. Yvette Clarke, the Brooklyn, N.Y., Democrat who chairs the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, says she hopes to hold hearings on what she calls the National Data Breach Law either later this year or in early 2010."
Police investigate stolen debit card info - www.gazette.com - 10/16/09 - "Thousands of customers of at least five financial institutions serving the Colorado Springs area have had their debit card numbers stolen through an unidentified local merchant, Colorado Springs police confirmed Thursday. Ent Federal Credit Union, southern Colorado’s largest financial institution, began notifying between 1,500 and 1,700 cardholders last weekend that their card numbers had been compromised and about 150 had fraudulent transactions posted to their accounts, said Dana Chippindale, an Ent spokeswoman."
Debit card breach is traced to Cheers Liquor Mart - www.gazette.com - 10/16/09 - "A debit card breach affecting thousands of Colorado Springs area cardholders resulted from outside hackers gaining access to Cheers Liquor Mart’s computer system sometime last month, owners of the Springs-based retailer said Friday. Cheers hired Cyopsis LLC, a Denver-based information technology forensics and investigations firm, to determine the source of the breach and prevent further breeches, said Jeff Robinson, one of four owners of one of the city’s largest liquor retailers."
SC World Congress: US Feds call for more collaboration - www.securecomputing.net.au - 10/15/09 - "Top officials from US law enforcement and government agencies speaking at SC World Congress in New York this week said progress has been made in fighting cybercrime recently, but increased collaboration with individuals from the private sector and international law enforcement bodies is needed to keep up the momentum."
Two Eagan men charged in credit card scam - www.thisweeklive.com - 10/15/09 - "Two Eagan men are accused of using a device called a “skimmer” to steal credit and debit card information from others and load it onto gift cards for their own use. The Dakota County Attorney’s Office has charged Abe Walter Smith, 31, with one count of identity theft, and Gabriel Adam Alexander Langford, 23, with two counts of credit card fraud."
Wal-Mart’s VPN Data Breach Raising Server Log Questions - www.storefrontbacktalk.com - 10/15/09 - "Back in June 2005, right around the time that several major retailers (including TJX, BJ’s Wholesale Club, Boston Market and DSW) were being attacked by Albert Gonzalez’s cyber thief gang, Wal-Mart was quietly experiencing its own data breach. In Wal-Mart’s case, though, the breach began in June 2005 and wasn’t discovered by Wal-Mart until some 17 months later."
Inter-state fake credit card racket busted in Kerala (India) - www.ptinews.com - 10/15/09 - "An inter-state fake credit card racket duping jewellers and textile shops of goods worth lakhs of rupees was busted by police today with the arrest of six persons, including five from Maharashtra. The six were arrested here today by a police team led by IG Tomin Thachankary, investigating the case of purchase of Rs 2.5 lakh worth of ornaments from a jewellery shop here using forged cards recently, police said."
Heartland's Breach: Lessons Learned (w/ Video) - www.informationweek.com - 10/15/09 - "Earlier this year, Heartland Payment Systems announced a major security breach that sent a few shockwaves through the financial world, not just because of its impact on Heartland, but also because of what the incident revealed about the sophistication of the Russian hackers who perpetrated this fraud. Heartland's CSO Kris Herrin talked to me about it at our recent Bank Summit in Pasadena, CA."
Live Webcast: Tokenization and End-to-End Encryption - Fact and Fiction - www.voltage.com - 10/14/09 - "As a result of the both the recent PCI DSS Community meeting and the PricewaterhouseCoopers survey on approaches for achieving PCI compliance, attention is now focused on two technology solutions that help merchants reduce PCI audit scope, secure consumer credit card data and reduce the costs associated with PCI compliance."
Millions stolen from McDonald's customers - www.theaustralian.news.com.au - 10/14/09 - "Major fraud squad detective senior sergeant Don Heise said inquiries by police had confirmed EFTPOS devices had been compromised. Card information and PIN details from debit and visa cards had been obtained in the fraud, Det Heise said."
McDonalds EFTPOS scam could claim more victims: Police - www.abc.net.au - 10/14/09 - "People are being urged to change their bank card or PIN if they have used it to make a purchase at a Perth McDonalds restaurant in the past three weeks. Thousands of West Australians have had a total of more than $450,000 dollars stolen from their debit and credit card accounts over the past three weeks in an EFTPOS skimming scam."
Card firm hacking hits thousands of Swedes - www.thelocal.se - 10/14/09 - "Debit card information for tens of thousands of Swedish banking customers may have fallen into the wrong hands following a security breach at card manufacturers MasterCard and Visa. Computer systems at both card makers were breached recently, allowing hackers to get away with data on thousands of banking cards, the Aftonbladet newspaper reports."
Bank of Bermuda moves to protect customers after security breach - www.royalgazette.com - 10/13/09 - "Several hundred Bank of Bermuda accounts were closed yesterday and cards cancelled as an overseas retailer reported a breach in customer security. Bank spokeswoman Susan Jackson said: 'Bank of Bermuda received notification from Visa and MasterCard that an overseas vendor has been compromised and that a number of Visa and MasterCard accounts may have been affected, including a number of cards issued by the Bank of Bermuda.'"
Wal-Mart victim of serious security breaches in 2005 & 2006 - www.internet-security.ca - 10/13/09 - "It's now confirmed that Wal-Mart was the victim of a serious Internet security breach back in 2005 and 2006. Hackers targeted the Wal-Mart development team in charge of the chain’s PoS (point-of-sale) system and successfully managed to transfer source code and other very sensitive data to a computer in Eastern Europe. Wal-Mart acknowledged the hack attack, which it calls an “internal issue,” since no sensitive customer data was stolen. The company then said it had no obligation to disclose the breach publicly, but did so because of mounting speculation and many reporters' phone calls to the company's head offices in the last week."
Visa Clarifies Policy on PIN Pad Mandates - www.nacsonline.com - 10/13/09 - "Visa hosted a webinar to clarify and reiterate its PIN pad data encryption policy on September 9. Ross Snailer and Stoddard Lambertson of Visa’s Payment Risk team led the presentation (PDF) that shed some light on what has been a much talked about topic for petroleum retailers. During the call, Visa stated that all attended POS and kiosks must be Triple DES (TDES) compliant by July 1, 2010, but that fines to acquirers (and presumably merchants) would not occur until August 1, 2012."
MagTek's MagneSafe™ technology – exceeds Visa's best practices for data field encryption while combining all 5 emerging technologies highlighted at the recent PCI conference - www.magtek.com - 10/13/09 - "MagTek®, Inc., a global leader in secure electronic payment technology, today announced that its MagneSafe technology, the industry’s standard for Secure Card Reader Authenticators (SCRAs), meets and exceeds Visa’s recently published best practices for data field encryption, also referred to as "end-to-end encryption" and is the only technology to combine all five of the "emerging technologies" identified by PricewaterhouseCoopers (PWC) in its report to PCI entitled: Emerging Technology Research."
Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack - www.wired.com - 10/13/09 - "Wal-Mart was the victim of a serious security breach in 2005 and 2006 in which hackers targeted the development team in charge of the chain’s point-of-sale system and siphoned source code and other sensitive data to a computer in Eastern Europe, Wired.com has learned."
Credit card-stealing device makes its Minnesota debut at Wendys - blogs.citypages.com - 10/12/09 - "A device called a "skimmer" that steals credit card information just by swiping the card has been implicated in incidents in Eagan and Maplewood. The item looks extremely similar to a normal payment-swipe device, so it's easy for criminals to hide their intentions when stealing card info."
Credit card-stealing device makes its Minnesota debut at Wendys - www.hometownannapolis.com - 10/12/09 - "STEVENSVILLE, Md. (AP) — The Queen Anne's County Sheriff's office says a card-skimming device was attached to an ATM machine in Stevensville. The sheriff's office says 88 people reported unauthorized transactions. The device has not been found, but investigators believe it was on the ATM at the Bank of America branch at 1114 Shopping Center Road between Sept. 26 and Oct. 9."
FBI cybercrime operation reveals massive online banking fraud scheme - www.thepaypers.com - 10/12/09 - "The FBI arrested and charged 53 US individuals accused of carrying out fraudulent internet-based activities, more exactly of operating a vast phishing operation and stealing at least USD 2 million from 2007 onwards. 47 more individuals, charged as co-conspirators, are set to be arrested by Egyptian authorities."
CRIME: Card skimmer attached to Eastern Shore ATM machine - www.delmarvanow.com - 10/11/09 - "The Queen Anne's County Sheriff's office says a card-skimming device was attached to an ATM machine in Stevensville. The sheriff's office says 88 people reported unauthorized transactions. The device has not been found, but investigators believe it was on the ATM at the Bank of America branch at 1114 Shopping Center Road between Sept. 26 and Oct. 9."
Fraudster accesses local bank accounts - www.thepeterboroughexaminer.com - 10/10/09 - "City police are advising people to check their bank accounts after several local banks were compromised by a fraudster. Sgt. Sean Quinlan said the breach most likely affected a number of local banks, resulting in numerous frozen accounts. “We know of at least four affected banks,” he said. “But there could be more.” The scam likely happened sometime between August and now, he said. Quinlan didn’t know how many customers have been affected. The banks haven’t called police yet, he said."
Major Perth eftpos fraud suspected? - abclocal.go.com - 10/09/09 - "If you use you ATM card a lot, listen up: Thieves have come up with a new scam to get your money. Grand Central Area detectives have had a number of complaints about ATM skimming on the North and Northwest side. The detectives say people have had money stolen from their bank accounts by offenders who place chips and small hidden cameras at the ATMs to obtain pin numbers."
Don't Relax On The Breach - www.forbes.com - 10/09/09 - "Data breaches that don't involve financial information sound relatively benign. But Paul Royal recently discovered that these kinds of breaches are often part of a multi-step attack aimed at stealing personal financial data. Royal, a security researcher at Atlanta-based Purewire, encountered these so-called "chained exploits" when he received an e-mail purporting to be from his former employer's online payroll provider."
Cyberthieves find workplace networks are easy pickings - www.usatoday.com - 10/09/09 - "It took only a modicum of skill for a cybergang to steal 94 million credit and debit card payment records from the TJX retail chain — and follow that up by hauling in 130 million records from credit card processor Heartland Payment Systems. Court records reveal that those record-setting break-ins were almost too easy. Even more surprising: The thieves were able to take their sweet time extracting the data, in each case going undetected for more than a year."
McDonald's reveals EFTPOS skimming in Perth card fraud - www.news.com.au - 10/09/09 - " FAST food chain McDonald's has revealed customers' account details have been skimmed from EFTPOS terminals at Perth outlets - and says the fraud may continue. McDonald's Australia says it cannot guarantee that more West Australians will not be fleeced in the EFTPOS fraud scam that has siphoned hundreds of thousands of dollars from unsuspecting customers this week."
Man Arrested for ATM "Skimming" in Manhattan Beach - www.ktla.com - 10/09/09 - "A Romanian national is under arrest after police say he tried to install a "skimming" device on a bank ATM in Manhattan Beach. George Puflene, 26, is believed to be part of an organized crime ring that "skimmed" $70,000 from customers' accounts, police said."
ATM `skimming' case may be part of a ring - www.dailybreeze.com - 10/08/09 - "A Romanian national arrested as he installed a fake keyboard atop a Citibank ATM in Manhattan Beach is believed to be part of an organized crime ring that "skimmed" $70,000 from customers' accounts, police said Thursday. So far, Manhattan Beach police have received 50 reports of illegal withdrawals from bank accounts ranging from $100 to $10,000. "
Heartland Breach: Inside Look at the Plaintiffs' Case - www.bankinfosecurity.com - 10/08/09 - "Prior to the Heartland Payment Systems (HPY) data breach, company executives misrepresented their "state of the art" security measures, says a new document filed in the class action suit against the payments processor. Heartland publicly touted its "multiple layers of security," and said it placed "significant emphasis on maintaining a high level of security in order to protect the information of our merchants and their customers," according to the master complaint filed last month in U.S. Southern District Court in Houston."
Retail Data Breach Liability Shield May Get Gutted - www.storefrontbacktalk.com - 10/08/09 - "In a move that has the potential to make it much more difficult for retailers to defend themselves against civil data breach lawsuits, the judge overseeing the Hannaford data breach case has reversed himself. The Maine Supreme Court is now involved. For years, retailers involved in major data breaches had little to worry about from U.S. courts, thanks to credit card zero liability programs."
Visa’s Retail Token Advice Of Token Value - www.storefrontbacktalk.com - 10/08/09 - "Visa on Monday (Oct. 5) issued a document to ostensibly help retailers figure out how best to navigate the new encryption and tokenization landscape, but as a practical matter, the document did little beyond rehash conventional wisdom and long-standing Visa and PCI best practices. It felt more like a quintessential psychologist advice session: “Dr. Visa, what should we do about tokenization?” “That’s an excellent question, Mr. CIO. What do you think you should do?”"
The Survey Says: 28 Percent Of Retailers Using Payment Data For Non-Payment Functions - www.storefrontbacktalk.com - 10/08/09 - "Officially, Visa and other card brands “discourage” retailers from using card data for non-transaction functions, such as CRM or other customer identification programs. But many retailers continue to do the forbidden practice and to do so openly. And even Visa won’t say that it will punish a retailer caught blatantly doing it. “We’d work with the acquirer and work with the merchant to try and rectify the situation,” said Jennifer Fischer, a Visa senior business leader who focuses on payment risk issues."
Lawsuit: A Heartland Manager Resigned Because Of PCI Compliance Issues - www.storefrontbacktalk.com - 10/08/09 - "As the lawsuits involving Heartland’s massive data breach move through the court system, an unusual claim was inserted into a court filing. The Sept. 23 filing in the U.S. District Court for the Southern District of Texas was trying to raise questions about Heartland’s post-breach conduct. It then shared the following anecdote without further explanation."
Verizon Business teams with McAfee to offer security in the cloud - www.itwire.com - 10/08/09 - "Verizon Business and McAfee have formed a global strategic alliance to provide integrated security solutions to businesses and government agencies worldwide under which the companies will jointly develop a suite of next-generation, cloud-based managed security services. Together, McAfee and Verizon Business will offer a comprehensive portfolio of managed security services (MSS) to enterprises, leveraging the strength of Verizon Business' MSS offerings and McAfee's technology."
Best Practices for Data Field Encryption to Protect Cardholder Information in Transit and Storage - usa.visa.com - 10/07/09 - "Best Practices for Data Field Encryption to Protect Cardholder Information in Transit and Storage Cardholder data security continues to be an important issue for all stakeholders in the payment system. While payment system participant compliance with the Payment Card Industry Data Security Standard (PCI DSS) has undoubtedly prevented many breaches of cardholder information, some entities’ lack of ongoing compliance has resulted in compromises, particularly of cardholder data in transit."
Credit Card Skimmer at Local Gas Station? - www.cvsd.com - 10/07/09 - "I received this information from a resident about a device that steals credit card information attached to a local gas pump. I assume the device is gone now, and I don’t have any first-hand knowledge (but I have contacted the police.) Please don’t avoid this particular station because of this warning — similar devices could be at any station, ATM or retail store. Just watch out for unusual or mis-matching card readers, and check your statements regularly for suspicious activity."
Australian police investigate skimming fraud - www.xinhuanet.com - 10/07/09 - "West Australian police revealed on Wednesday an EFTPOS (Electronic Funds Transfer at Point of Sale) scam has seen more than 150,000 Australian dollars (133,893 U.S. dollars) stolen from 2,500 bank accounts using details gleaned at Perth retail outlets. EFTPOS is an Australian and New Zealand financial network for processing credit cards, debit cards and charge card payments at "Point of Sale" and transacting at ATMs."
Visa probes tokens, encryption for PCI card data protection - searchsecurity.techtarget.com - 10/07/09 - "Visa Inc. is weighing in on the process of protecting credit card data with end-to-end encryption and the use of tokens. The card brand issued a document this week outlining best practices for encryption that includes the use of tokens. Visa said the document aims to help encryption vendors develop a common standard and help early adopters choose the right approach to deploy data protection."
Encryption, Tokenization Loom Large As PCI Council Mulls Changes - www.digitaltransactions.net - 10/07/09 - "Will the 2010 iteration of the Payment Card Industry data-security standard represent a major break from the current version or just have some minor changes? That’s the question before the card networks, merchants, merchant acquirers, and payment processors now that one meeting with PCI stakeholders is down and another is coming up in a two-year process to update the critical rules governing card security."
Waitresses Charged With Card Skimming At Ruby Tuesday's Restaurant - www.paymentssource.com - 10/07/09 - "Three men were charged with providing waiters and waitresses at Ruby Tuesday's restaurants with credit card skimmers that were used to steal card information and make tens of thousands of dollars of unauthorized purchases in credit union and bank accounts. The skimmers drained funds from accounts at Philadelphia FCU, Freedom FCU, Diamond CU, Navy FCU and about a dozen banks, according to an indictment handed down by a federal grand jury last week."
Thieves use gift cards to scam credit card holders - www.kfor.com - 10/06/09 - "Even though you still have your actual credit card, people steal your card info and use it to open a new account in their name. And even when it's canceled, they still have buying power through gift cards. Thieves are cloning credit cards and spending to the limit and buying gift cards before the victims can catch them. Detective Scott Stephens said, "By the time you find out your account has been compromised, they've already bought these gift cards, flat screen TVs or whatever.""
Major Perth eftpos fraud suspected? - www.watoday.com.au - 10/06/09 - "An investigation is under way into a suspected major eftpos and atm fraud scam in Perth. Police say they have received "substantial information" regarding machines being used to "skim" credit and debit cards of details - including PIN numbers - throughout the metropolitan area."
VeriFone Aligned with Visa Best Practices for End-to-End Encryption - www.businesswire.com - 10/06/09 - "VeriFone Holdings, Inc. (NYSE: PAY), today announced that its VeriShield Protect card payment data protection solution is in compliance with Visa’s best practices for data field encryption, also known as end-to-end encryption, that were published on October 5th. Visa’s announcement reflects growing momentum for implementation of end-to-end encryption as a key payments security layer that can render any intercepted data useless."
Lawsuit: Heartland Knew Data Security Standard was 'Insufficient' - www.bankinfosecurity.com - 10/05/09 - "Months before announcing the Heartland Payment Systems (HPY) data breach, company CEO Robert Carr told industry analysts that the Payment Card Industry Data Security Standard (PCI DSS) was an insufficient protective measure. This is the contention of a new master complaint filed in the class action suit against Heartland, which in January announced a data breach that is now estimated to be the largest known hack, involving 130 million credit and debt card accounts."
Lawsuits over Heartland data breach folded into one - www.computerworld.com - 10/05/09 - "A lawsuit consolidating 16 separate class-action complaints brought by financial institutions against Heartland Payment Systems Inc. has been filed in U.S. District Court for the Southern District of Texas. The claims stem from the massive data breach disclosed by Princeton, N.J.-based Heartland in January. The complaints allege that the payment processor was negligent in its duty to protect card holder data."
Police search computers of two alleged 'skimmers' - www.wral.com - 10/05/09 - "Raleigh police searched the computers of two men alleged to be involved in "skimming" credit card data from points of purchase and stealing credit card numbers. Mohamad Mustafa Derbas, 23, of 10233 Carter St. in Wake Forest, and Ahmad Hasan Odeh, 23, of 4113 Old Brick Court in Raleigh, are charged with conspiracy to obtain property by false pretense, conspiracy to commit felony larceny and possession of transaction card forgery devices."
Visa Releases Global Data Encryption Best Practices - www.earthtimes.org - 10/05/09 - "Visa Inc. (NYSE: V) today announced global industry best practices for data field encryption, also known as end-to-end encryption. The best practices are designed to further the payment industry's efforts to develop a common, open standard while providing guidance to encryption vendors and early adopters. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the "clear.""
Can the phone be a second factor in authenication? - www.scmagazineus.com - 10/05/09 - "There is a high degree of ambiguity among retail organizations regarding how to comply with certain requirements of the Payment Card Industry Data Security Standard (PCI DSS). There are, however, some PCI DSS sections that provide merchants with crystal-clear direction on how to achieve compliance."
PCI Compliance - Why spas, hotels and resorts can no longer ignore it! - www.hotelnewsresource.com - 10/05/09 - "Years ago, a merchant's crime threats were limited to an armed delinquent or a shoplifter. Today you can add the cyber thief to that list. This thief is looking for a more profitable payoff, your customer's/guest's payment card information. He or she is much more savvy and capable of doing more harm to your business than just emptying your hotel's front desk float or spa's cash register."
Poor handling of ATM fraud cases worries customers (Nigeria) - www.234next.com - 10/05/09 - "With the increase in the number of bank customers who have become victims to Automated Teller Machines (ATM) fraud, a legal practitioner has expressed concern over the poor attitude of Nigerian banks in helping the victims to recover their losses. Tochukwu Onyiuke of Punuka Attorneys & Solicitors, told NEXT on Sunday that of the over 700 ATM scam cases he is handling, none of the banks involved has shown genuine interest in rendering assistance to the victims."
Credit Card Skimmer Discovered at Gas Station - www.234next.com - 10/02/09 - "Nevada ranks third in the nation when it comes to people being victimized by identity theft, according to Federal Trade Commission. The problem is so widespread that Las Vegas Police have dedicated an entire unit to investigating the crime. One common way criminals strike is by using technology attached to gas pumps or ATM machines. No one is immune to this type of crime as some patrons of a gas station in Pahrump found out."
Account 'Skimmer' Found On Bel Air ATM - www.wbaltv.com - 10/02/09 - "Police in Bel Air said a device that steals personal information from ATM cards was discovered on a machine at a Bank of America branch on Main Street. Authorities said they believe that type of crime is rare in Bel Air but are concerned because the scheme was so sophisticated that people didn't realize they were victims until it was too late."
Credit Card Skimming Survey: What’s Your Magstripe Worth? - www.wired.com - 10/02/09 - "Ever wonder how much the data on the back of your credit card is worth to a corrupt food service worker? The answer, it turns out, depends on which restaurants you frequent in Florida. For some reason, the Sunshine State is a hotbed of federal prosecutions for “skimming”, in which a retail or service worker with a criminal bent swipes your credit card through a pocket-sized magstripe reader when you’re not looking — capturing your name, card number, expiration date and other information."
3 accused of stealing diners' credit card IDs - www.philly.com - 10/02/09 - "Three Philadelphia men were indicted yesterday on charges of illegally using the credit and debit cards of customers of two city restaurants by recruiting servers and other workers to steal their account information and then using it to create false - but functioning - cards. According to the federal grand jury indictment, the fraud and identity-theft ring targeted other restaurants and businesses in addition to the two named: T.G.I. Friday's, 4000 City Ave., and Ruby Tuesday, 16th and Chestnut Streets."
Voltage, RSA spar over tokenization, data protection - searchsecurity.techtarget.com - 10/02/09 - "Voltage Security Inc. and RSA, the security division of EMC, are exchanging blows over the best way to protect credit card data during the payment process. Both vendors have partnered with different payment processors to develop slightly different methods to protect credit card data from the point a credit card is swiped at the point-of-sale (POS) system until a transaction is complete."
Opinion: Take no chances with card security (Australia) - www.securecomputing.net.au - 10/01/09 - "Time has run out for businesses that handle credit card information. In the past week, merchants were hit with a double-whammy reminder of the risks of slack credit card transaction security. From yesterday, Visa required its merchants not to store sensitive credit card data after an authorised transaction expired."
One in five Australians cloned by ID hackers - www.dailytelegraph.com.au - 10/01/09 - "ONE in five Australians is a victim of credit card fraud or computer hackers. The identity crimes report, which was commissioned by credit company Veda Advantage and conducted by Galaxy Research, found more than 1.5 million people's credit cards had been skimmed and 1.2 million people's bank accounts were illegally accessed. Many more people's mail containing PINs and other information that can be used to create a false identity was stolen."
Bank card skimming device found - www.brantfordexpositor.ca - 10/01/09 - "Police are advising anyone who used a TD Canada Trust ABM terminal on Wednesday to change their PIN number. A debit card skimming device was found inside an ABM machine at a local TD Canada Trust branch. It appears the device had just been installed when found because bank employees regularly check ABM terminals, police said. However, it is not known how many card numbers may have been compromised, police said."
Warning after card skimmer found - news.bbc.co.uk - 10/01/09 - "Police have urged the public to be vigilant when using cash machines after the discovery of a card skimming device in an Aberdeenshire town. The device was found on an Alliance and Leicester ATM in High Street, Turriff."

September 2009

State of the Hack – Latest Financial Attacks - www.fsisac.com - 09/30/09 - "This "straight from the battlefield" presentation will provide case studies that describe in detail the most recent computer security incidents that Mandiant has responded to on behalf of the organizations. Here is a link to the recording of this webinar."
Express Scripts: 700,000 notified after extortion - news.idg.no - 09/30/09 - "Nearly one year after being hacked by computer extortionists, pharmacy benefits management company Express Scripts now says hundreds of thousands of members may have had their information breached because of the incident. Last November, the company reported that someone had threatened to expose millions of customer prescription records, but it has come under criticism for being vague about how many of its customers' records were accessed."
IBM's Encryption Breakthrough for the Web - www.businessweek.com - 09/30/09 - "In the dog days of summer 2008, an intern at IBM Research was sitting in a Manhattan café turning a problem over in his head. Craig Gentry was thinking about cryptography, the science of codes and data protection, tussling with a question that had confounded the world's greatest mathematicians for three decades. Is it possible to run calculations on encrypted data without actually decrypting it?"
Cashless society spawns new breed of thieves - www.bclocalnews.com - 09/30/09 - "An increasingly cashless society has bred a new type of criminal. Storming into an establishment and strong arming people to give up cash has given way to a highly organized network of near invisible criminals who wield impressive technological skills to separate people and institutions from their money. "
The Two Scenarios Coming From The PWC PCI Report - www.storefrontbacktalk.com - 09/30/09 - "At the PCI SSC Community Meeting last week, the biggest highlight was the presentation of a report the group sought from PricewaterhouseCoopers (PWC). The first presentation of the PWC report of PCI Emerging Technologies made it clear that by expanding the technological scope of PCI DSS, companies will be able to reduce the scope of their PCI compliance efforts."
Defending PCI: 'Don't Blame the QSA's' - www.bankinfosecurity.com - 09/30/09 - "Since the announcement of the Heartland data breach in January, the merits of the Payment Card Industry Data Security Standard (PCI DSS) have been questioned, and Bob Russo has led the defense. Russo is general manager of the PCI Security Standards Council, the group responsible for the development, management, education and awareness of the PCI Security Standards."
Inmate hacker locks down jail computers - www.theregister.co.uk - 09/29/09 - "A UK prison computer system was left in lockdown after jail bosses gave a convicted cybercriminal the task of reprogramming it, the Sunday Mirror reports. Douglas Havard, 27, an inmate at Ranby Prison, Nottinghamshire, was asked to take over a project to create an internal TV station using the jail's computer network."
Police Warn About Possible Gas Pump Credit Card Fraud - wake.mync.com - 09/29/09 - "The Raleigh Police Department are warning residents across the Triangle to keep an eye on their credit card bank statements after two men were arrested for allegedly using a scanning device to steal credit card information at area gas stations. Loc Huu Bui and Nghi Huu Bui were arrested and charged with eight to ten counts each of financial card fraud and card theft with a scanning device."
Data Breach Trends: How to Avoid a Hack - www.bankinfosecurity.com - 09/29/09 - "Heartland Payment Systems, Radisson Hotels and Network Solutions have made the big headlines so far this year. But other data threats are out there and continue to evolve, according to Chris Novak, managing principal at Verizon Business Investigative Response Team, which produced this year's 2009 Verizon Business Breach Report."
A New Payments Security Group Plans a Mass Hack Simulation - www.digitaltransactions.net - 09/29/09 - "A payments-industry security group formed earlier this year is going through the rather dry procedures of establishing a charter and electing leaders. But one of its first projects could get pulses beating a little faster: a simulated mass attack on databases containing payment card and demand-deposit account information."
California Data breach notification law SB 20 strikes right balance: Simitian - searchcompliance.techtarget.com - 09/28/09 - "California State Sen. Joe Simitian could be called the father of state data breach notification laws. He received the award for Excellence in the Field of Public Policy at the RSA Conference 2007 in recognition of that -- though he's willing to share the credit. California Senate Bill 1386 is known as the first state data breach notification law, and the one on which most other state laws are based."
PCI DSS Update Could Include Virtualization Security - www.darkreading.com - 09/28/09 - "The PCI Data Security Standard (PCI DSS) is due for an update next year, and the upcoming version of the standard could define securing cardholder data in virtualization environments. The PCI Virtualization Special Interest Group (SIG), made up of auditors, vendors, merchants, banks, and quality security-assessment firms, this week met to hash out a proposal for how to include virtualization technology in PCI."
Effectively Protecting Your Customers' Data - www.businessweek.com - 09/28/09 - "Contact center staff are on the data security front lines. Properly trained they can thwart intrusion. Unfortunately contact centers too frequently have environments that foster data loss and theft. Employees are typically low-paid and have minimal or no benefits, are often poorly supervised, rushed to meet metrics, and face enormous stress. Today's organizations depend and thrive on data for marketing, customer service and staff management, and like anything that is valuable, criminals have been seeking it to commit ID theft, blackmail or other crimes."
Virtualization Next for PCI Standard? - www.bankinfosecurity.com - 09/27/09 - "Linda McGlasson, Managing EditorThe next version of the Payment Card Industry Data Security Standard (PCI DSS), due out some time in 2010, may include guidelines for the use of virtualization technology to protect card data. This was the prediction of some industry leaders meeting at the Payment Card Industry's Security Standards Council community meeting in Las Vegas last week."
Second blow for Bolton as company is banned - www.theage.com.au - 09/26/09 - "NICHOLAS BOLTON faces losing his multi-million dollar internet empire after the Supreme Court of Victoria upheld a decision by the industry regulator, auDA, to ban one of his companies from selling or administering domain names."
Former Congressman Does Not See Federal PCI Legislation Likely - retailpayments.blogspot.com - 09/25/09 - "Tom Davis, former US Congressman currently at Deloitte gave the keynote speech at the PCI SSC community meeting this week in Las Vegas. After some very interesting insights about how presidential job approval impacts congressional elections which is what drives much of Congress, he talked about the current climate on the hill for cyber security initiates, including legislation covering PCI."
Calls for PCI DSS compliance logo - www.securecomputing.net.au - 09/25/09 - "Calls have been made for a compliance logo to be created for Payment Card Industry Data Security Standard (PCI DSS) accredited companies to display. As part of its recommendations to the PCI DSS Council, Imperva called for a compliance logo for consumers, as companies cannot articulate their security efforts to consumers, and consumers are not aware of the compliance status of the retailers they do business with. "
Two held in fake credit cards case - www.timesofindia.com - 09/25/09 - "HYDERABAD: Task Force sleuths on Sunday apprehended two persons in fake credit card case. Mohammed Sarfaraaz, 29, of Somajiguda and Cheemalarri Vinay Krishna, 30, of Ameerpet were apprehended near Kamath Hotel in Secunderabad, while they were waiting for a customer to deliver the cloned credit cards."
'Skimming' puts local debit cards in jeopardy - www.owensoundsuntimes.com - 09/24/09 - "Hundreds of Scotiabank clients in Owen Sound have had their debit cards temporarily restricted by the bank as it investigates a possible security breach involving a "skimming" incident in the area. Skimming, or debit card fraud, is a type of identity theft that occurs when thieves steal the information from the magnetic strips on bank cards and/or user's personal identification numbers (PINs). "
ATM Scamming Thefts On The Rise In The High Desert - www.cbs2.com - 09/24/09 - "Thieves are placing card-scanning devices on the outside of ATMs to skim magnetic strip information from the back of debit cards, which are then used to make fake cards. Officials suspect the scammers are using binoculars or video cameras to capture PIN numbers from unsuspecting bank customers. "
A World Without Payment Cards (and PCI Compliance) - blogs.bankinfosecurity.com - 09/24/09 - "Credit and debit cards are everywhere. I use mine daily, and I suspect many functioning adults in the U.S. and beyond do as well. For me, convenience is a major factor in their use -- instead of carrying around wads of cash, I can carry a single piece of plastic and use it to accomplish the same goal -- buy things. If I lose my wallet or worse, get robbed, I'm out a small piece of plastic instead of actual cash."
Debit-card skimming shocks Fort Erie residents - www.niagarafallsreview.ca - 09/24/09 - "Imagine you are about to go spend some of your hard earned money at the grocery store or at another local retail outlet... but when you get there you realize your entire bank account has been cleaned out. This unfortunate situation was a reality for several local residents this past weekend as about 15 cases were reported to the Niagara Regional Police, saying a transaction was made from their account that they are not responsible for."
First Data and RSA Team Up to Provide Layered Security That Protects Merchant Card Data and Brand Equity - www.businesswire.com - 09/23/09 - "First Data, a global leader in electronic commerce and payment processing services, and RSA, The Security Division of EMC (NYSE:EMC), have teamed up to provide a new service called First Data® Secure Transaction ManagementSM, which is engineered to enable merchants to secure payment card data and remove it from their environment while allowing access when needed."
Voltage Security First to Combine Encryption, Tokenization and Data Masking in Single Platform to Reduce PCI Audit Scope - www.marketwire.com - 09/23/09 - "PCI SSC 2009 Community Meeting -- Voltage Security, Inc. (www.voltage.com), the global leader in end-to-end data protection, today announced it has extended Voltage SecureData™ by adding tokenization and data masking capabilities to the existing encryption functionality, enabling the end-to-end protection of data, such as credit card numbers, in applications and databases."
Ponemon Institute and Imperva Survey Shows Companies Still Struggle to Protect Consumer Credit Card Data - www.imperva.com - 09/23/09 - "Imperva and the Ponemon Institute today announced the findings of a survey (http://www.imperva.com/ld/ponemon.asp) across more than 500 U.S. and multinational IT security practitioners showing that, despite the Payment Card Industry's (PCI) Data Security Standard (DSS), companies still struggle with data security, putting consumers at continued risk for identity theft."
Man given time served for massive ID theft - www.delawareonline.com - 09/23/09 - " One of two men involved in a massive theft of ATM card information -- along with money from those compromised accounts -- was sentenced to time served, or just over two years in prison, on Tuesday in federal court. Artur Grigoryan, 27, a citizen of Armenia who overstayed a student visa, also is expected to be deported back to his native country."
First Data And RSA “Legitimize” Tokenization–Then What? - www.storefrontbacktalk.com - 09/23/09 - "The conventional wisdom is that when large vendors enter a niche market, those vendors “legitimize” that market. But the announcement that First Data and RSA Security are getting into the credit card tokenization business raises many issues beyond them simply “making” the tokenization market. Here is my first take on the implications of this announcement:"
The Yin-Yang Of Tokenization, Vendors Now Splitting Into Two Camps - www.storefrontbacktalk.com - 09/23/09 - "In recent months, an encrypted laundry list of vendors has announced products in the so-called end-to-end encryption space and/or the tokenization arena. But this week added two key announcements into the mix, from Voltage Security and a combo rollout from First Data and RSA Security. The reason they’re key is that, for the first time, two of the largest players are offering true differences, ones that speak more to retail security philosophy than anything else."
Underground hacker forum taken offline - www.securecomputing.net.au - 09/22/09 - "An alleged underground forum used by hackers to sell logins and financial data has been hacked and taken offline. Mikko Hypponen, chief research officer at F-Secure, claimed that the web forum named ‘PakBugs' was an ‘underground' forum where people discussed hacking techniques and sold malware code, bank logins and stolen credit card numbers."
Restaurant card skimmer sentenced - www.washingtonexaminer.com - 09/22/09 - "The leader of a card-skimming conspiracy that stole more than $700,000 from customers of Washington restaurants was sentenced to nearly seven years in prison. Erick V. Burton, 38, of District Heights, was the last member of the conspiracy to be sentenced. Burton conspired to recruit and pay servers at Clyde's, M&S Grill, and 701 Restaurant to "skim" the credit card numbers of paying customers. The servers were paid $20 per card number."
US court rules that bank failed to protect customer against fraud - www.securecomputing.net.au - 09/22/09 - "The banking sector could face a major shake-up after a court in the US ruled that a bank failed to protect a user's account against fraudulent access. In a recent case, a US judge allowed Marsha and Michael Shames-Yeakel to bring a case against Citizens Financial Bank, who alleged that the bank failed to implement state-of-the-art security technology, as they were the victims of fraud perpetrated through their online bank account to the tune of $US26,500."
Heartland CEO: More Card Encryption Needed - www.computerworld.com - 09/21/09 - "The top executive at Heartland Payment Systems Inc. last week called on credit card vendors, payment processors and retailers to embrace an encryption standard that would protect credit and debit card numbers. Robert Carr, Heartland's chairman and CEO, told the U.S. Senate Homeland Security and Governmental Affairs Committee that industry guidelines today don't require encryption of credit card numbers during transit between retailers, payment processors and card issuers."
The Next PCI - www.digitaltransactions.net - 09/21/09 - "With compliant merchants and processors sustaining breaches, the card-data security standard is about to undergo its next revision with a long list of technologies to sort out. Meanwhile, merchants are feeling left out. When the major card brands introduced the Payment Card Industry data-security standard (PCI DSS) in January 2005, they hoped it would prove an effective weapon against database breaches."
Come together, right now, over...security - news.zdnet.com - 09/21/09 - "Data breaches make major headlines. There’s no two ways about it. The more mundane business of keeping those headlines to a minimum, with the day-to-day efforts of the industry to keep customer’s payment data safe, is not the stuff of front page news. For those efforts to be successful, a cross section of industries must collaborate and share their latest ideas and experience of what’s going on in the front lines of payment card data protection."
PD Arrest Alleged Credit Card 'Skimmer' - www.myfoxphoenix.com - 09/18/09 - "A 20-year-old man has been arrested for skimming credit card data off of debit cards, then using that to rob innocent victims. Police say that Vadym Ganzha, 20, was going to ATMs in the valley and stealing money from people's accounts, using a "skimming" device."
Real-Time Hackers Foil Two-Factor Security - www.technologyreview.com - 09/18/09 - "In mid-July, an account manager at Ferma, a construction firm in Mountain View, CA, logged in to the company's bank account to pay bills, using a one-time password to make the transactions more secure. Yet the manager's computer had a hitchhiker. A forensic analysis performed later would reveal that an earlier visit to another website had allowed a malicious program to invade his computer."
The Great Trust Offensive - www.businessweek.com - 09/17/09 - "'The spark began where it always begins, at a restaurant downtown, in a shop on Main Street,' intones a narrator as the camera lingers in a restaurant, bakery, and bike factory. 'Entrepreneurs like these are the most powerful force in the economy. As we look to the future, they'll be there ahead of us.'"
PD Arrest Alleged Credit Card 'Skimmer' - www.myfoxphoenix.com - 09/16/09 - " A 20-year-old man has been arrested for skimming credit card data off of debit cards, then using that to rob innocent victims. Police say that Vadym Ganzha, 20, was going to ATMs in the valley and stealing money from people's accounts, using a "skimming" device. It copies the information from the magnetic strip on the back of your bank card."
PCI, Remote Capture Get a Wary Eye Among Some Health-Care Officials - www.digitaltransactions.net - 09/16/09 - "Retailers have complained the loudest about the cost of complying with the Payment Card Industry data-security standard, or PCI, but comments Tuesday at a health-care payments conference indicate that medical providers also incur considerable expense to secure their card-accepting payment systems."
When Hit With A Major Data Breach, Retailers Should Use The Buddy System - www.storefrontbacktalk.com - 09/16/09 - "There’s a very old joke that when swimmers are about to go into shark-infested waters, they should always swim with a buddy. If a shark attacks, feed him your buddy. Retailers today, swimming in cyberthief-invested wireless zones, are discovering a similar guideline plays out when there is an attack against a large number of retailers, such as what happened with TJX, Hannaford, 7-Eleven and others in the Gonzalez cases."
Contact centre fraudsters could be responsible for credit card crime wave - www.callcentrehelper.com - 09/16/09 - "Customer fraud is being fuelled by organisations that pride themselves on their online security but are leaving their contact centres wide open to potential fraudsters, according to one industry expert."
Heartland spends $32 million during first half on breach-related activities - www.internetretailer.com - 09/16/09 - "Heartland Payment Systems Inc. spent about $32 million in the first six months of this year on forensics, legal work and other activities related to the December 2007 database breach that resulted in the theft of millions of credit and debit card numbers, CEO Robert Carr told the U.S. Senate Committee on Homeland Security and Government affairs this week."
New Report: Cyber Attacks Exploit 2 Vulnerabilities - www.bankinfosecurity.com - 09/15/09 - "More than half of current cyber attacks against businesses and government agencies are focused on two common vulnerabilities. This is the main finding of "The Top Cyber Security Risks," a new report based on data from actual attacks against organizations. The report, compiled by security vendors TippingPoint and Qualys, as well as the Internet Storm Center and SANS Institute, finds that client-side software and Internet-facing websites are organizations' greatest - and most overlooked - cyber risks."
VeriFone Announces Global Security Solutions Business - www.reuters.com - 09/15/09 - "VeriFone Holdings, Inc. (NYSE: PAY) today announced today the formation of its Global Security Solutions Business Unit, focused on delivering innovative security solutions, including VeriShield Protect end-to-end encryption, to protect cardholder data throughout merchant and processor systems."
Senate plots cybercrime counterattack - www.federalnewsradio.com - 09/15/09 - "By all accounts, say the experts, cyber crime costs the world's economy more than a trillion dollars in losses - $8 billion of that right here in the United States alone. And, that, says Senator Joseph Liberman (ID-Conn.), chairman of the Senate Homeland Security and Governmental Affairs Committee, makes it vital that steps be taken to combat cyber crime."
2 Arrested In Credit Card 'Skimming' Scheme - www.wftv.com - 09/15/09 - "Two men were arrested Tuesday for allegedly stealing credit card numbers from customers at restaurants and fast food chains. Florida Law Enforcement investigators say Matthew Adoo and Lee Rivera skimmed credit cards to buy fancy clothes and shoes. The accused mastermind, Brandan Tristan, however, is still on the run. Hugh and Nancy Stott know all about how skimming credit cards works."
Lieberman to draft cyber bill - www.thehill.com - 09/14/09 - "Sen. Joe Lieberman (I-Conn.) plans to push legislation this year that would bolster the government against cyber attacks and may require private companies to meet new security standards."
California Leads the Nation in Breach Disclosures - blogs.channelinsider.com - 09/14/09 - "Sitting on Gov. Arnold Schwarzenegger's desk is a bill that will make California's data breach disclosure requirements the most stringent in the nation. The bill, approved by the state assembly last week, will require any company operating in California or holding data on California residents to provide guidance to affected individuals on how to guard their identities and remediate identity theft in the wake of a breach of unencrypted data."
After Gonzalez Plea, Feds Say BJ’s, OfficeMax Had More Critical Role - www.storefrontbacktalk.com - 09/14/09 - "When Albert Gonzalez officially pleaded guilty to many of the federal cyberthief charges against him on Friday (Sept. 11), the government shed a little more light on the case, such as that it was BJ’s Wholesale Club that was first attacked and that the Secret Service has collected “more than forty million distinct credit and debit card numbers from two computer servers” controlled by Gonzalez and his associates and has counted the consumer, retail and bank victims as “an enormous number of people, certainly millions upon millions, perhaps tens of millions.” "
New Report: Cyber Attacks Exploit 2 Vulnerabilities - www.bankinfosecurity.com - 09/14/09 - "More than half of current cyber attacks against businesses and government agencies are focused on two common vulnerabilities. This is the main finding of "The Top Cyber Security Risks," a new report based on data from actual attacks against organizations."
Heartland CEO: Credit Card Encryption Needed - www.pcworld.com - 09/14/09 - "Credit card transactions in the U.S. are often not encrypted, and credit card vendors, payment processors and retailers need to embrace an encryption standard to protect credit card numbers, the CEO of a breached payment processor said Monday."
Don’t Hire a QSA by Seeking the Lowest Bid, Warns Heartland’s Carr - www.digitaltransactions.net - 09/13/09 - "Among lessons learned by Heartland Payment Systems Inc. after the massive data breach at the merchant acquirer last year: Don’t necessarily hire the qualified security assessor (QSA) offering the lowest bid, says Robert O. Carr, chairman and CEO. Processors and merchants need to hire QSAs in the same way they hire financial auditors, Carr said during a webinar on Thursday sponsored by Debix."
London-based East European gang used Barclays bank cards in £300,000 French cash point scam - www.dailymail.co.uk - 09/13/09 - "Dozens of London-based Slovakians have been arrested in northern France after using Barclays bank cards to fraudulently withdraw more than £300,000 in cash. The astonishing scam saw up to 50 of the eastern Europeans arrive in Calais early last Friday morning before emptying cash points across the region. Armed police made 34 arrests, but not before many had fled with bags of money which remain unaccounted for."
Hackers breach Warrick Co. bank accounts - www.14wfie.com - 09/12/09 - "Cyber thieves have recently hacked their way into dozens of online bank accounts in Warrick County. Investigators said that it happened to customers of People's Saving and Trust Bank in Boonville. The breach is not being done inside the bank itself, but rather to the company that services their customer's debit cards. It's been happening since the first of the month. The bank has narrowed it down to 38 accounts, and victims have been coming forward all week."
NAIT student get two years for forgery - www.edmontonsun.com - 09/11/09 - "An Edmonton man had his dreams of continuing his NAIT business studies dashed today as he was sentenced to two years in prison for credit card forgery. Inderjeet Singh Sagoo, 24, had been hoping to get a conditional sentence to be served in the community so he could return to school, but the judge rejected the defence pitch."
End-to-End Encryption: The PCI Security Holy Grail - www.computerworld.com - 09/10/09 - "One of the fascinating things to do when in New York City is to visit the Federal Reserve gold vault. The vault lies 86 feet below sea level, resting on Manhattan bedrock, and holds approximately 5,000 metric tons of gold bullion. The Federal Reserve Bank does not own the gold but serves as guardian of the precious metal, which it protects at no charge as a gesture of goodwill to other nations. Obviously, the security measures to protect hundreds of billions of dollars of gold are intense."
Rising Costs And a PCI Upgrade Drive Gas Sellers to Reconsider PIN Debit - www.digitaltransactions.net - 09/10/09 - "Rising processing costs and Visa Inc.’s mandate that point-of-sale terminals be upgraded to do Triple-DES encryption for PIN-based debit transactions are prompting gas sellers to rethink PIN debit acceptance. Fuel sellers are talking about dropping PIN debit because of the hike in cost for authorization, says Branden Williams, director of PCI compliance for Verisign. “There’s no cost advantage any more or the cost advantage is smaller,” he says."
PCI Report Poses a Quandary: Where Did 1 Million Merchants Go? - www.digitaltransactions.net - 09/10/09 - "The biggest merchants are moving toward 100% compliance with the Payment Card Industry data-security standard, or PCI, but compliance among small card acceptors remains much lower, according to second-quarter statistics from Visa Inc. None of that is a surprise given PCI compliance trends in recent years. But just how far small merchants lag large ones in meeting their PCI obligations is a matter of debate, as is the actual number of low volume, card-accepting merchants."
Is PCI DSS a Safe Investment? - www.banktech.com - 09/10/09 - "Should merchants continue to invest in Payment Card Industry Data Security Standards (PCI DSS) in a down economy? Yes. The losses—not just in fines and litigation, but also reputational damage—associated with the consequences of a data breach are astronomical when compared with the annual burden of maintaining compliance. PCI is an excellent baseline for cardholder security, but should PCI be made law?"
Updated VISA TDES Program Frequently Asked Questions - usa.visa.com - 09/10/09 - "Visa USA has released an updated version of their Frequently Asked Questions PDF document for their Triple DES PIN Security Program."
Identity theft warning: possible credit card skimmer at Atascadero gas station - www.ksby.com - 09/10/09 - "The Atascadero Police Department says a "skimmer," or illegal credit card reading device, may have been installed in a gas station pump in the city. Police responded to a report of vandalism at the Tesoro Gas Station in the 6300 block of Morro Road on August 31. A pump had automatically shut down the previous day, and a repair technician discovered that internal wiring had been unplugged, causing the pump to fail."
Card Skimmer Suspected In Gas Station Vandalism - www.myfox11.com - 09/10/09 - "A local gas station believes a card skimmer may have been used on one of their gas pumps. On August 30st, the Tesoro Gas Station at 6305 Morro Road in Atascadero noticed that one of their pumps was not working. They called out a technician who found that internal wiring had been unplugged from the pump causing it to fail. Upon further inspection, the technician believes that a card skimmer may have been removed causing the pump to fail."
Man Sentenced in Card Skimming - www.wsbradio.com - 09/10/09 - "A federal judge has sentenced a 29-year-old Bulgarian to more than four years in prison for conspiring to steal bank debit card numbers and passwords with a skimming device. U.S. District Judge Willis B. Hunt Jr. sentenced Yordan Kavaklov on Thursday. Acting U.S. Attorney Sally Quillian Yates said that at the time of their arrest, Kavaklov and his co-defendant had 80 gift cards that had been altered to include customer account information and were using them to drain the customers' accounts."
Visa Data Security Alert: SQL Injection Attacks - usa.visa.com - 09/08/09 - "Recent data security breaches continue to show the prevalence of Structured Query Language (SQL) injection attacks on e-commerce Web sites, corporate Web sites and Web-based applications that manage card accounts (e.g., PIN updates, monetary additions, account holder updates). These attacks also showed how the lack of segmentation between the corporate websites and the payment systems pose serious additional risks to card data stored or transmitted within systems (e.g., Microsoft and UNIX-based) and networks connected to the affected environment."
TJX Settlement. More Proof That Security Investment Is Really Hard To Justify - www.storefrontbacktalk.com - 09/07/09 - "Not that it was needed, but more proof materialized this month that substantial security investments are really hard to justify. TJX announced Sept. 2 what will likely be the last of the settlements of class action lawsuits against it from the data breach of its systems that began in 2005 and which impacted more than 100 million payment cards."
Heartbreak over Heartland: Why Prosecution for Data Breaches Isn't Enough - writ.news.findlaw.com - 09/04/09 - "Debit card users often feel safe because their cards are PIN-protected. But recent events show that, like credit cards, debit cards can be compromised, when the databases of large retail merchants or card processors are hacked. In late August, the U.S. Department of Justice issued indictments in what is, to date, the largest data breach in the United States – with over 130 million credit and debit card numbers compromised."
HarborOne Recoups at Least Some of its Losses From TJX - www.cutimes.com - 09/03/09 - "The $1.8 billion HarborOne Credit Union has received at least a partial settlement from the TJX Company over the damages it suffered during that firm's 2007 card security breach. At the time, January 2007, the TJX breach was the biggest card data breach ever seen, compromising roughly 45 million credit and debit card numbers. Since then it has been surpassed by a similar breach at Heartland Payment Systems that the government alleged involved the same hacker."
One Swipe Could Cost You $$$$$ - www.krdo.com - 09/03/09 - "You probably will use your credit or debit card today at a business you trust, but what about the employee swiping it? Colorado Springs Police detectives say credit card skimming is on the rise in southern Colorado and you could be the next victim and not know it until you get your bill."
3 convicted in ID theft ring targeting Taco Bell, gym patrons - www.gazette.com - 09/03/09 - "Three people from Colorado Springs have been convicted in a string of 49 financial crimes along the Front Range. In a credit card and identity theft scam going back several months, the group used an electronic device known as a credit card skimmer to steal credit card numbers from patrons of a local Taco Bell and members of gyms in Woodland Park, Broomfield, Lakewood, Canon City and Pueblo."
New PCI data security rules coming in 2010 and threats of fines loom over web retailers - www.internetretailer.com - 09/02/09 - "Mark Wilson thinks it`s important to guard his customers` credit card numbers. But without an information technology specialist at his small online retail business, Night-Gear Inc., he had about given up on achieving compliance with the PCI security standards designed to protect cardholder data. After months of notices from a security service that his site did not meet the requirements of the Payment Card Industry Data Security Standard—notices he struggled to comprehend—Wilson was prepared to go on paying the small monthly fines his processor assesses non-compliant merchants."
Local detective earns high praise for police work - www.oshawaexpress.com - 09/02/09 - "He was a leading member in the team responsible for shutting down an organized crime syndicate’s multi-million dollar card skimming operation. And now the hard work is paying off. Durham Region Detective Jeff Caplan was one of two Canadian officers who were recently recognized with a Canadian Banks’ Law Enforcement Award (CBLEA) in Charlottetown, Prince Edward Island at the annual Canadian Association of Chiefs of Police Conference."
University announces credit card breach - www.consumerloanwire.com - 09/02/09 - "Unversity of Vermont recently discovered that the security of up to 242 university-funded credit cards has been compromised. Ann Naylor of UVM Procurement services said in a statement that UVM is unaware of how the breach occured. UVM discovered the issue when they were notified by their bank."
Park Ridge ATMs add to $700 million in annual losses to fraud - www.chicagotribune.com - 09/02/09 - "The FBI and the banking industry are advising people to be vigilant when using ATMs after a recent "card skimming" scam at a Park Ridge bank in which thieves attached an electronic device to an ATM in order to loot accounts. The card skimming has been a problem for years, but thieves appear to be getting bolder, said Chicago FBI special agent Ross Rice. "It's not specific to any bank or ATM machines," he said."
Five More Accused in Credit Card Fraud Investigation - www.ecommerce-guide.com - 09/02/09 - "The five men operated thousands of miles from Manhattan, under aliases like “the Viver,” “Inexwor” and “DoZ.” And with their true identities obscured on the Web, Manhattan prosecutors said, these men were able to play intimate roles in a cybertheft that resulted in more than 95,000 stolen credit card numbers and $4 million worth of fraudulent transactions."
PCI Security: Small E-tailers Face Large Fines if Hacked - www.nytimes.com - 09/01/09 - "Many small online merchants don’t understand much about the powerful technology behind their e-commerce store or how vulnerable this technology is to being hacked. We rarely read about a small merchant's computer system being broken into, because the large ones are so much more spectacular. But some security experts now say it's not a question of if you will be hacked, it's when."
Debit-card reader stolen from Polo Park store - www.winnipegfreepress.com - 09/01/09 - "Police are on the hunt for a pair of men suspected of stealing a debit-card reader from a Polo Park Shopping Centre retailer. While in the store last Friday morning, one of the men distracted an employee in conversation while the second disconnected and stole the store’s debit PIN pad, replacing it with an inoperable PIN pad, police said."
Extra Steps to Keep Customers' Credit-Card Data Safe and Secure - www.rimag.com - 09/01/09 - "Bertucci’s, the Northborough, Mass.-based Italian casual-dining chain, has never had a credit-card security breach. If Kevin Quinlan has his way, it never will. Quinlan has equipped Bertucci’s corporate and store-level computers with file-locking software that prevents employees from downloading iTunes, burning CDs and surfing the Internet on company computers."
Heartland Payment Systems End to End Encryption - www.americanbanker.com - 09/09 - "Heartland Payment System's E3, an end-to-(almost) end encryption process, has the greatest potential of any new product to impact the security of America's financial system in the coming year. And by bringing it to market just about seven months after the company announced the discovery of its massive data breach, Heartland wins kudos for reacting expeditiously to both save the company and set a standard for the rest of the industry to follow."
Q&A: PCI Compliance: There’s No Getting Around It - www.bsminfo.com - 09/09 - "What is the most important trend in card processing that VARs should be aware of? Jeff Wakefield, VP of marketing, VeriFone: While VARs and dealers generally understand PCI programs and requirements, their customers most often do not."

August 2009

Credit card scam: Shopkeepers under scanner - www.indiatimes.com - 08/31/09 - "The economic offences wing of the Mumbai police has busted a credit and debit card racket in which some shopkeepers had cloned the cards and showed fake transactions. According to sources, some Nigerians used to supply the accused with cloned cards through which they showed huge purchases to get money from the banks."
SUK government adopts contactless mobile payments anti-fraud guidelines - www.thepaypers.com - 08/31/09 - "The UK government has been collaborating with mobile phone and card payments industry operators and financial services providers on a series of guidelines aiming to prevent fraud and lower risks associated with contactless mobile payments. UK banks and mobile operators are currently trialling mobile contactless technology which allows users to carry out tap-and-go payments for low-value items."
Skimmers Rig Door Instead Of ATM - www.consumerist.com - 08/31/09 - "Last week, a customer in Long Beach, New York, discovered a skimmer attached to the outside of a local ATM branch instead of on specific machines. We've talked a lot about being wary of any suspicious add-ons at the ATM, but in this case the criminals were collecting card info as people swiped to enter the building—although they still had pinhole cameras set up to record PINs next to each keypad."
Skimmers Rig Door Instead Of ATM - www.berrowsjournal.com - 08/30/09 - "A 23-year-old man is accused of skimming card details from a cash machine in Worcester city centre. Adrian Popescu is alleged to have had under his control an electronic skimmer fixed to the Nationwide cash machine in Worcester’s High Street. "
NJ waiter accused of stealing credit card numbers - www.databreaches.net - 08/29/09 - "A waiter using an electronic “skimmer” stole credit card information from at least 100 patrons at restaurants in Jersey City and Newark and then gave the information to an identity theft ring that racked up tens of thousands of dollars worth of fraudulent purchases, officials said."
Jersey City, Newark waiter accused of stealing credit card numbers - www.securecomputing.net.au - 08/28/09 - "A waiter using an electronic "skimmer'' stole credit card information from at least 100 patrons at restaurants in Jersey City and Newark and then gave the information to an identity theft ring that racked up tens of thousands of dollars worth of fraudulent purchases, officials said."
Researchers crack WPA encryption in 60 seconds - www.nj.com - 08/28/09 - "Newer WPA2 devices safe... for now. Japanese researchers claim to have found a way to break the Wi-Fi Protected Access (WPA) encryption system used in wireless routers in just 60 seconds. Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University plan to explain their method at a technical conference on 25 September in Hiroshima."
Prosecutor: NJ waiter stole credit card data - www.philly.com - 08/28/09 - "Authorities in northern New Jersey say a waiter using an electronic "skimmer" device stole credit card information from at least 100 customers of restaurants in Jersey City and Newark and passed it to an identity theft ring. Prosecutors say the ring used the data to make thousands of dollars of fraudulent purchases."
Police: 'Skimmer' Found On Bank ATM - www.kmbc.com - 08/28/09 - "Police are warning ATM customers to check if the machine looks different before using it because it may have a "skimmer" that is designed to steal your card information. A local bank alerted Kansas City police after finding such a device on at least one of its ATMs in the past month."
Maximizing self-service revenue with credit card processing - www.selfserviceworld.com - 08/28/09 - "Though the use of credit cards may seem about as simple and ubiquitous as it gets, the credit card-processing industry is very complicated. To maximize the profitability of self-service deployments, it is first necessary to understand how the industry works and to then use that knowledge to your advantage. "
Biggest Breaches of 2009 - www.bankinfosecurity.com - 08/28/09 - "There have been 356 data breaches so far in 2009, according to the Identity Theft Resource Center (ITRC). And 46 of those breaches have involved financial institutions - up from 34 at this same time last year. In reviewing these 46 incidents (see interactive timeline w/details of each breach), one finds goods news and bad, according to ITRC executive director Linda Foley."
Hacker to Plead Guilty in Major Identity Theft Case - www.washingtonpost.com - 08/28/09 - "A computer hacker accused of masterminding one of the largest cases of identity theft in U.S. history agreed Friday to plead guilty and serve up to 25 years in federal prison. Albert Gonzalez of Miami was charged with conspiracy, wire fraud and aggravated identity theft in federal courts in New York and Boston."
Replicating the Gonzalez Cyber Attacks through Penetration Testing - www.coresecurity.com - 08/27/09 - "YOU’RE INVITED: IT SECURITY WEBCAST - Last week saw the indictment of cybercrime kingpin Albert Gonzalez, one of the accused masterminds behind high-profile data breaches at Heartland Payment Systems, Hannaford Bros. Supermarkets, 7-Eleven, and TJX. Next week, Core Security Technologies will present a hands-on look at the attacks Gonzalez and his co-conspirators are believed to have used in breaching these organizations."
Prosecutor: NJ waiter stole credit card data - www.phillyburbs.com - 08/28/09 - "Authorities in northern New Jersey say a waiter using an electronic "skimmer" device stole credit card information from at least 100 customers of restaurants in Jersey City and Newark and passed it to an identity theft ring. Prosecutors say the ring used the data to make thousands of dollars of fraudulent purchases."
Visa to Host Interlink Merchant TDES Compliance Webinar - www.visa.com - 08/27/09 - "On Wednesday, September 9, 2009, Visa will host a free Interlink Merchant Triple Data Encryption Standard (TDES) Compliance webinar. This webinar will provide a summary of the Visa compliance policy implemented to facilitate TDES usage at Interlink merchants in both the attended and unattended Automated Fuel Dispenser environments."
Fort Washington man sentenced in credit card scam - www.gazette.net - 08/27/09 - "A Fort Washington man believed to be the mastermind of a credit card scheme that swiped more than $800,000 from customers at area restaurants has been sentenced to seven years in prison, according to the U.S. attorney's office for the Eastern District of Virginia."
J.C. Penney, Target Added To List Of Gonzalez Retail Victims - www.storefrontbacktalk.com - 08/27/09 - "Albert Gonzalez, who has been accused of managing the data breaches at TJX, Hannaford, 7-Eleven and Heartland (among many others), has once again agreed to plead guilty to parts of two of the three federal cases against him, his attorney, Rene Palomino, said Thursday (Aug. 27)."
Police bust possibly largest-ever debit/credit skimming scheme - www.am770chqr.com - 08/27/09 - "Calgary police say they've arrested four men from Quebec after finding equipment related to debit and credit card skimming. Police say they searched an illegally parked car near Eau Claire Market downtown, and found three PIN pads used in retails stores, and the pads showed signs of tampering. Three men in the vehicle were taken into custody and police obtained warrants to search two suites at a hotel in northeast Calgary."
Police make major organized crime bust - www.660news.com - 08/27/09 - "Four men with suspected ties to organized crime in eastern Canada have been arrested and charged in our city, after what's being called the largest seizures of credit and debit card skimming equipment in Calgary. CPS Spokesman Kevin Brookwell tells 660News officers searched a car parked illegally in the Eau Claire area on Wednesday, interviewed the trio inside and made a major discovery."
Cops probe skimmer found on bank ATM in Long Beach - www.newsday.com - 08/27/09 - "Long Beach police are analyzing an electronic skimmer that had been installed on a bank ATM to steal account information from customers’ debit and credit cards. Detectives are not sure yet how many customer accounts were compromised at the Chase Bank branch on East Park Avenue, Lt. Bruce Meyer said."
Gan police investigate scam - www.thewhig.com - 08/26/09 - "Gananoque Police have released surveillance photos of two men wanted in connection with a scam that may have drained thousands of dollars from the bank accounts of as many as 15 people."It would have been a substantial amount of money," Sgt. Rhonda Sherboneau of Gananoque Police said yesterday."
U.S. Payment-Card Industry Grapples With Security - www.nacsonline.com - 08/26/09 - "Broad disagreements between merchants and financial firms continue to permeate the payment card industry, highlighting the challenges to reform and upgrade data security measures, Reuters reports. Most recently, data processor Heartland Payment Systems maintained that its computer networks met security standards meant to prevent data breaches, while Visa alleged that Heartland 'may have let its guard down.'"
Credit Card fraud exposed in Andhra Pradesh - www.databreaches.net - 08/26/09 - "The sleuths of Cyber Crime Cell of Hyderabad Police today claimed to have busted a credit card fraud involving clandestine leakage of client’s confidential data with the arrest of four persons belonging to Andhra Pradesh. The police seized cloned credit cards of various banks, (local and international pertaining to Indians cards), skimmer (a device used for reading and writing credit card data), card printer (device used to create fake credit cards), one computer system, one laptop, several fabricated identity proofs, photographs, a release said here today."
3 Data Security and Privacy Bills Introduced in Congress - www.paymentsecuritypros.com - 08/25/09 - "The SPSP often discusses the likelihood of federal legislation to mandate the protection of consumer information. To date, three data security and privacy bills have been introduced in the US Congress this year. In January, Senator Diane Feinstein (D- CA) introduced a federal data breach notification law. Sen. Feinstien has long been an advocate of such a law at the Federal level. This is not surprising, as she represents the state credited with the advent of such laws. "
Juggling Chainsaws - www.paymentsecuritypros.com - 08/25/09 - "Welcome to the end of another eventful summer. Over the last three months, we've seen stories about data breaches, data security regulation and new technologies. That being the case, it seemed only appropriate that we discuss these topics in the August issue of the SPSP Wire."
‘The Analyzer’ Pleads Guilty in $10 Million Bank-Hacking Case - www.wired.com - 08/25/09 - "Ehud Tenenbaum, aka “The Analyzer,” quietly pleaded guilty in New York last week to a single count of bank-card fraud for his role in a sophisticated computer-hacking scheme that federal officials say scored $10 million from U.S. banks. The Israeli hacker was arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks."
PCI Council Releases Recommendations For Preventing Card-Skimming Attacks - www.darkreading.com - 08/25/09 - "The PCI Security Standards Council (PCI SSC) today unveiled best practices for retailers to defend themselves against the growing number of credit- and debit-card skimming scams. Skimming credit- and debit-card data is becoming a popular way for cybercriminals to steal credit and debit card account numbers and execute financial fraud against grocery stores, gas stations, convenience stores, and other retailers and their customers, who are increasingly falling victim to hijacked card readers and ATM machines. "
Eastern European Cyber Criminals Target U.S. Businesses - www.washingtonpost.com - 08/25/09 - "Organized cyber gangs in Eastern Europe are increasingly preying on small and mid-sized companies in the United States, setting off a multi-million dollar online crime wave that has begun to worry the nation's largest financial institutions. A task force representing the financial industry sent out an alert Friday outlining the problem and urging its members to put in place many of the precautions now used to detect consumer bank and credit card fraud."
PD: Man uses ‘skimming’ to steal from victims’ bank accounts - www.abc15.com - 08/25/09 - "Police are looking for a man who allegedly withdrew money from the accounts of people who still had their debits cards by using a skimming device. Officer James Holmes with the Phoenix Police Department said between June 17th and July 29th, the suspect withdrew money from the accounts of two different victims."
U.S. payment-card industry grapples with security - www.reuters.com - 08/24/09 - "Fresh details of large-scale cyber attacks against data processor Heartland Payment Systems Inc and supermarket chain Hannaford Brothers show the challenges facing the efforts of the U.S. credit-card industry to upgrade security measures."
Police: Thief Used ATM Skimmer - www.kpho.com - 08/24/09 - "Police are searching for a man who may have stolen money from people's bank accounts through an ATM skimmer, authorities said. According to Phoenix Police Department spokesman Officer James Holmes, the same man withdrew money from the bank accounts of two different victims between June 17 and July 29."
BNZ, ANZ chips in for smart cards - www.stuff.co.nz - 08/24/09 - "The Bank of New Zealand will begin issuing smart credit cards with built-in microchips by the end of the year. BNZ spokeswoman Dee Crooks says it is "in the process of developing chip functionality" for a range of its credit cards."
WEBINAR - Payment Data: Don't Store It, Handle It - www.cybersource.com - 08/24/09 - "Maintaining payment security doesn't require adding even more proverbial locks and bolts to your infrastructure. In fact, you can secure your payment process – including complying with PCI-DSS standards – with less cost, complexity, and time."
$200K lost in ATM skimmings in Hampton Roads - www.wvec.com - 08/24/09 - "Federal authorities are investigating an ATM skimming scam that has stolen the financial information of at least 25 people in Hampton Roads. Officials told WVEC.com Monday that losses total in the $200,000 range."
Card skimmer added to cashpoint - www.northumberlandgazette.co.uk - 08/17/09 - "Police have released details about a skimming device being installed at a South Tyneside cashpoint. It was installed on May 1 at the Asda in New Road, Boldon Colliery to the Lloyds cashpoint."
Head credit card skimmer sentenced to seven years - www.washingtonexaminer.com - 08/23/09 - "The mastermind behind a credit card skimming scheme was sentenced to seven years in prison for racking up more than $800,000 on cards stolen from Washington-area diners. Joseph A. Bush III, 29, also was ordered to pay $815,000 in restitution that prosecutors said the gang stole from more than 50 financial institutions in thousands of transactions."
Card skimmer found on cash machine - www.thisisleicestershire.co.uk - 08/22/09 - "Card skimmers have struck again at a town centre cash machine. It is the fourth time in recent months that the machine in Lutterworth has been targeted. The equipment is attached to a cash point and reads personal information when cards are inserted."
Police 'slow to pick up card con devices' - www.oxfordmail.co.uk - 08/21/09 - "TWO people who found card-cloning devices on cash machines criticised police for failing to collect the devices. The devices, which are used to ‘skim’ card details and record PIN numbers, were found and removed by members of the public in Abingdon and Kidlington."
Identity theft via malware set to skyrocket - www.securecomputing.net.au - 08/21/09 - "Identity theft from malware infections could rise as much as 600 per cent this year, according to researchers. Security vendor PandaLabs said that the number of personal computers infected with malware designed to steal personal and financial data had jumped steeply over the past year."
Police want to speak to CCTV pair - www.eadt.co.uk - 08/21/09 - "POLICE have issued CCTV images of two men they would like to question in connection with a card skimming theft in Chelmsford. The skimming device was used during the afternoon of August 9 to steal the details of a debit card used at a cash machine in Barclays Bank, Moulsham Street."
In Gonzalez Hacking Case, a High-Stakes Fight Over a Ukrainian’s Laptop - www.wired.com - 08/20/09 - "When Turkish police arrested Maksym “Maksik” Yastremskiy — a Ukrainian wholesaler of stolen identity data — in July 2007, they didn’t just collar one of the most-wanted cybercriminals in the world. They also got a trove of evidence about Yastremskiy’s buyers and suppliers, all locked in an encrypted vault on his laptop computer."
$240K to be paid back by Washington-area ATM skimmer - www.washingtonexaminer.com - 08/20/09 - "A Hyattsville man has been ordered to pay back the $240,000 he stole by skimming personal information from more than 150 victims as they used Washington-area automated-teller-machines. Konstantin Sintsev, 24, will also spend more than four years in prison for the scheme he ran with Latvian immigrant, Vitalijs Balsevics, a judge in Alexandria's federal court ruled Tuesday."
Card-skimmer found on ATM (Australia) - www.goldcoast.com.au - 08/20/09 - "POLICE are investigating after a card-skimming device was found on an ATM in Kirra. The device was found at a Commonwealth ATM on a wall in front of a newsagency in Musgrave Street. A Commonwealth Bank spokeswoman said customers who had used the ATM in recent days were encouraged to head to a branch and change their PIN."
Skimmers Emptying Greenville County Bank Accounts - www2.wspa.com - 08/20/09 - "It’s easy to hand over the plastic when your belly is full. “They take the card and walk away with it,“ said Tim Martin, an investigator with the Greenville County Sheriff’s Office. Martin is talking about restaurant employees who get your receipt and deliver it to your table. And when you leave, you are less likely to look back and see what can happen to your bank account. "
Massachusetts Data Protection Law Amended, Delayed - Again - www.bankinfosecurity.com - 08/20/09 - "Once again, Massachusetts is delaying the compliance deadline for its toughest-in-the-nation data protection rules. The new effective date is March 1, 2010. Saying that the state must balance the needs of consumer privacy protection with the needs of small business, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has also amended its data security regulations. "
Hacker Mitnick may sue AT&T over data breach - news.cnet.com - 08/20/09 - "After having his AT&T wireless account breached and his personal information posted on the Web, famed hacker Kevin Mitnick thought the least the cellular service provider could do was compensate him for his troubles."
Cop helps stop potential $1-M fraud - www.winnipegsun.com - 08/19/09 - " The term "what goes around comes around" may best apply to the downfall of a Vancouver man, whose alleged credit-card fraud scheme unravelled thanks to a fellow criminal. By catching the suspect, Winnipeg fraud investigators have prevented a potential $1 million loss to the financial industry, city police said."
Radisson Hotels Reporting Significant Data Breach - www.cutimes.com - 08/19/09 - "The Radisson Hotel chain is the latest American retail company to announce it has suffered a significant breach of its computer systems resulting in the compromise of credit and debit card data."
Expert: Banks too cheap to really halt credit and debit card ID theft - blogs.consumerreports.org - 08/19/09 - "As we reported previously, criminals have become increasingly adept at hacking computer systems at banks, data processors and other links in the financial chain to steal consumers’ credit and debit card data en masse."
Cashpoint scam warning - www.chelmsfordweeklynews.co.uk - 08/19/09 - "POLICE are warning cashpoint users to be on their guard after a skimming device was used in Chelmsford. At around 3.50pm on Sunday a debit card that had been held in a skimming device, at Barclays Bank, in Moulsham Street, was removed and used to withdraw £500 from a Lloyds Bank cashpoint nearby."
Hacking kingpin negotiating plea deal with feds - news.idg.no - 08/19/09 - "U.S. prosecutors are negotiating a plea deal with the attorney representing Albert Gonzalez, who has been indicted three times on charges related to some of the largest data breaches in history. The former government informant facing three separate indictments for allegedly being behind the largest data breaches in U.S. history is being offered a plea deal, U.S. and defense attorneys confirmed today."
A PCI-Compliant Cloud? Not at Amazon - www.datacenterknowledge.com - 08/19/09 - "There’s an ongoing debate about the ability of cloud computing services to meet enterprise regulatory compliance requirements, including the Payment Card Industry Data Security Standard (PCI DSS) standard that is essential for e-commerce. Martin McKeay at the Network Security Blog recently highlighted the admission by one of the most popular cloud services, Amazon Web Services, that it does not support the highest levels of PCI compliance."
Four in Elkridge hotel busted for identity theft - www.explorehoward.com - 08/19/09 - "Howard County police are working to identify 100 people whose financial and personal details were found in an Elkridge hotel Aug. 10. As result of the bust, four Florida residents face charges in a theft scheme that stretches across four states, police said. Police were called to the Best Western hotel in the 6700 block of Dorsey Road Aug. 10 after a housekeeper found suspicious documents in a hotel room trash can, police said."
Emerging alternatives to chip and PIN to tackle card fraud in the US - www.datamonitor.com - 08/19/09 - "Card fraud is expected to increase in the US with the country still no nearer to introducing the chip and PIN technology which has proved successful in Europe. With fiscal pressures particularly evident in the current economic climate, technology vendors are rushing to pilot alternative solutions to the costly chip and PIN option."
7-Eleven Statement Regarding 2007 Credit Card Fraud - www.storefrontbacktalk.com - 08/18/09 - "Massachusetts has watered down its proposed retail data security regulations to make them more palatable to small businesses. Calling for a “risk-based” approach that takes into account a business’ size and the risk of identity theft posed by its operations, the revised regulations are intentionally vague instead of specific in several areas."
7-Eleven Statement Regarding 2007 Credit Card Fraud - www.businesswire.com - 08/18/09 - "7-Eleven, Inc. has learned that federal authorities in New Jersey have indicted individuals for the theft of credit and debit card numbers in a computer hacking scheme targeting multiple retailers in a number of separate incidents over the last several years. The company became aware in late 2007 that a security breach had occurred."
Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks - www.usdoj.gov - 08/17/09 - "Albert Gonzalez, 28, of Miami, Fla., was indicted today for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of New Jersey Ralph J. Marra Jr. and U.S. Secret Service Assistant Director for Investigations Michael Merritt."
TJX Hacker Charged with Heartland, Hannaford Breaches - www.wired.com - 08/17/09 - "Albert “Segvec” Gonzalez, a former Secret Service informant who is already awaiting trial over his involvement in the TJX hack, has been indicted by a federal grand jury in New Jersey, along with two unnamed Russia-based conspirators, with hacking into Heartland Payment Systems, the New Jersey based card processing company, as well as Hannaford Brothers, 7-Eleven, Inc, and two unnamed national retailers, according to the indictment unsealed Monday."
Credit Card Payment Security Goes Beyond PCI, Says ProPay - www.businesswire.com - 08/17/09 - "In light of recent security breaches and announced plans by other companies in the industry to address End-to-End (E2E) data security solutions, ProPay has been implementing an End-to-End data security solution over the past several months."
Debit card scam operating in Valley - www.ktar.com - 08/17/09 - "Desert Schools Federal Credit Union in the Valley is warning members about a scam involving debit cards. Here's how it works: your bank sends you a text message saying your debit card has been blocked and you need to call VISA at a certain number."
How Tiny Iron Particles Could Secure Your Data - www.cujournal.com - 08/17/09 - "Tiny iron particles may be the next item in the banking industry's antifraud toolkit. Visa Inc. and Fifth Third Bancorp are testing a system that evaluates the physical properties of the iron in the magnetic stripes on payment cards."
Mass. Dilutes Data Security Regs To Appease Smaller Retailers - www.storefrontbacktalk.com - 08/16/09 - "Massachusetts has watered down its proposed retail data security regulations to make them more palatable to small businesses. Calling for a “risk-based” approach that takes into account a business’ size and the risk of identity theft posed by its operations, the revised regulations are intentionally vague instead of specific in several areas."
A new breed of thieves - www.bclocalnews.com - 08/15/09 - "Storming into an establishment and strong arming people to give up cash has given way to a highly organized network of near invisible criminals who wield impressive technological skills to separate people and institutions from their money."
Tokenization vs. end-to-end encryption - news.idg.no - 08/15/09 - "Over the last few months, the PCI Knowledge Base has been doing research on the impact of PCI compliance on fraud and fraud management for the Merchant Risk Council. One of the things we've learned is that, in general, the PCI-mandated controls are most effective at reducing internal fraud due to insider threat."
Chesterfield police seek information on ATM “skimmer” suspects - www2.timesdispatch.com - 08/14/09 - "Chesterfield County police are looking for four males accused of using bank card information to purchase items and withdraw cash from automated teller machines in the Chester area and along Interstate 95."
Chesterfield police seek information on ATM “skimmer” suspects - www2.timesdispatch.com - 08/14/09 - "Chesterfield County police are looking for four males accused of using bank card information to purchase items and withdraw cash from automated teller machines in the Chester area and along Interstate 95."
Search for Meaning: What Is End-to-End Encryption? - www.americanbanker.com - 08/14/09 - "Processors and payments hardware vendors are promoting the concept of end-to-end encryption, but there is no clear definition for the security format. The pointofsale terminal vendor VeriFone Holdings Inc. is offering the technology and Heartland Payment Systems Inc. is testing it now."
Four arrested for alleged credit card fraud - www.ottawacitizen.com - 08/14/09 - "Police have arrested four men in connection with a series of alleged credit card frauds in Rockland. Ontario Provincial Police said the suspects tried to use a stolen credit card to make a purchase at a Laurier Street Shoppers Drug Mart."
Man Charged in Scam To Steal Credit Card Data - www.washingtonpost.com - 08/14/09 - "A Germantown man has been accused of obtaining stolen credit card data belonging to more than 20 patrons of a District restaurant. Alpha Daye Bah, 31, was arrested last week on fraud charges filed in the District's federal court."
Security Breach Notification Law Chart - www.linexlegal.com - 08/13/09 - "This chart provides information regarding security breach notification legislation which has been enacted in U.S. jurisdictions. The pioneering statute on this issue, California's Security Breach Notification Act, is often used as a model for other state statutes."
PEI Education Session: PCI Compliance Update - www.pei.org - 08/13/09 - "Don't miss the major equipment providers -- Dresser Wayne, Gilbarco Veeder-Root and VeriFone -- and their distributor and service contractor guests in this lively panel discussion about the implementation of the Payment Card Industry (PCI) regulations. "
Restaurant struggles to clear name - www2.hernandotoday.com - 08/13/09 - "Summer has always been a slower time for King's Wok. But dropping to 15 customers in a 10-hour day was unexpected. The restaurant owners believe it's fear keeping their clientele at bay, but a fear that is unjustified."
PCI, QSAs, Hackers, and Slackers: Will the Real Enemy Please Stand Up? - www.csoonline.com - 08/13/09 - "A very heated reaction has followed the interview I conducted yesterday with Robert Carr, CEO of Heartland Payment Systems. One reader even said the resulting Q&A made his "blood boil.""
Heartland CEO on Data Breach: QSAs Let Us Down - www.csoonline.com - 08/12/09 - "For Heartland Payment Systems Inc. CEO Robert Carr, the year did not start off well, to say the least. In January, the Princeton, N.J.-based provider of credit and debit processing, payment and check management services was forced to acknowledge it had been the target of a data breach -- in hindsight, possibly the largest to date with 100 million credit and debit cards exposed to fraud."
Retail Payments Risk Forum Collaborates to Fight Payments Fraud - www.banktech.com - 08/12/09 - "Recognizing the serious, pervasive nature of payments fraud, the Atlanta branch of the Federal Reserve has established the Retail Payments Risk Forum to bring together expertise from a variety of disciplines to collaborate on ways to better secure the payments system. Clifford Stanford, an assistant VP with the Atlanta Fed, is the director of the Retail Payments Risk Forum."
RBS WorldPay and VeriFone Announce End-to-End Card Encryption Solution - www.earthtimes.org - 08/11/09 - "VeriFone Holdings, Inc. (NYSE: PAY) today announced that RBS WorldPay, the fastest growing top ten payment processor in the US, has agreed to work jointly and expeditiously towards marketing VeriFone's VeriShield Protect end-to-end solution for encrypting payment card data. RBS WorldPay is the first merchant acquirer to endorse a commercial end-to-end encryption solution."
Two in three Australian companies leak data - www.securecomputing.net - 08/11/09 - "Two in three Australian organisations experienced a serious data breach in the last twelve months, according to a survey by the Ponemon Institute. The Institute, commissioned by data encryption company PGP, paid 482 IT security professionals in Australia to answer questions around the protection of their data."
Richmond ATM cash thefts tied to ‘skimmers’ - www2.timesdispatch.com - 08/11/09 - "Richmond police say someone is using illegal monitoring equipment to gain access to cash through automated teller machines. Police today said someone used five fraudulent bank cards at an ATM in the Fan District on Saturday. The thief used stolen information gained by a so-called skimmer to access the money."
Retail Police: Hundreds of victims of local 'skimming' scam - www.wate.com - 08/11/09 - "There are several hundred victims of a banking scam called skimming in Knox and surrounding counties, police officials say Tuesday. That's up from the dozen cases 6 News reported Monday that are under investigation by the Secret Service. Skimmers that have been put on ATMs are hard to detect and your card isn't actually stolen. The device just gathers your information to make a new card."
Bank of America, Citigroup Reissue Cards After Breach - www.bankinfosecurity.com - 08/11/09 - "Two US banks recently reissued new credit and debit cards to Massachusetts customers after a data breach at an unnamed merchant. Bank of America and Citigroup both issued replacement cards and notified customers that their account numbers may have been compromised. Neither bank will say exactly how many cards were replaced or which third-party merchant database compromise was referred to in the notification letters."
National Retail Federation Poll: Small Retailers Struggling To Understand PCI - www.darkreading.com - 08/11/09 - "First the good news: Most small retailers say they know about the Payment Card Industry's Data Security Standard (PCI DSS). But the bad news is they don't necessarily understand it, nor can many of them prove their compliance with it, a new study by the National Retail Federation (NRF) says."
Skimming device used at Chelmsford cash point machine - www.chelmsfordweeklynews.co.uk - 08/11/09 - " POLICE are warning cash point users to be on their guard after a skimming device was used in Chelmsford. At around 3.50pm on Sunday a debit card that had been held in an ATM skimming device at Barclays Bank in Moulsham Street was removed and used to withdraw £500 from a Lloyds Bank ATM nearby."
Secret Service now investigating local 'skimming' scam - www.wate.com - 08/11/09 - "The Secret Service is investigating at least 12 instances where debit card numbers and pins have been stolen locally in the last few weeks. Investigators suspect the information is captured through what's called "skimming." Once a debit card has been inserted into an ATM, the information is captured by a device attached to the outside of that machine where the card was inserted."
EPX Delivers First Tokenized End-To-End Encryption Solution for Unsurpassed Merchant Security - www.businesswire.com - 08/10/09 - "Today Electronic Payment Exchange (EPX) became the first payment processor to offer a true end-to-end solution that endorses and incorporates both tokenization and encryption for securing cardholder data from the card reader through the entire transaction lifecycle."
Network Solutions Breach Revives PCI Debate - www.bankinfosecurity.com - 08/10/09 - "The recent data breach at Internet domain administrator and host Network Solutions compromised more than 573,000 credit and debit cardholders and begs the question: What more can be done to secure such systems? The incident also raises new questions about the Payment Card Industry Data Security Standard (PCI). At the time of the breach, discovered in June, Network Solutions says it was PCI compliant."
Beyond PCI - subscribers.supermarketnews.com - 08/10/09 - "Is end-to-end encryption the “next big thing” in payment card security? That's hard to say, especially in the highly complex and constantly changing world of data protection. But if you look at two of the biggest security breaches to hit retailing in the past few years — and the steps taken by the breached companies to prevent a reoccurrence of those break-ins — you would have to say that end-to-end encryption is on the retail horizon."
BofA warns of Mass. security breach - www.bizjournals.com - 08/10/09 - "Two of the largest U.S. banks — Bank of America Corp. and Citigroup Inc. — have issued new credit and debit cards to Massachusetts customers after running into data-safety concerns. Charlotte-based BofA (NYSE:BAC) and Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them in letters that their account numbers may have been compromised."
Research Finds PCI DSS Awareness High Among Small Retailers, Lack of Understanding Remains Huge Hurdle - www.nrf.com - 08/10/09 - "Though small retailers are aware of Payment Card Industry Data Security Standards (PCI DSS), they feel frustrated and bewildered with the complex requirements, according to a survey of small retailers by ControlScan, the National Retail Federation, and the PCI Knowledge Base. The research was released in conjunction with NRFtech, NRF’s IT Leadership Summit, in La Jolla, CA."
Think your data is safe? Heartland CEO says, Think again - blog.nrf.com - 08/10/09 - "Heartland CEO Robert Karr spoke quite candidly this afternoon in an impassioned, eye-opening keynote about events that, he says, have “occupied the last eight months of my life.” Of course, he was talking about a major data breach at his company last year, the largest in history."
Do You Know This Guy? - www.wtvr.com - 08/10/09 - "Richmond Police are asking for your help to find the man in the attached picture. They say he's been using phony ATM cards and stealing money from ATM machines. They say he used five fake cards at a machine in the Fan, Saturday."
Is it still safe to pay for petrol with your credit or debit card? - www.timesonline.co.uk - 08/08/09 - "Consumers should be on their guard when paying for goods and services in petrol stations, hotels and restaurants, as fraud “inside jobs” are increasing in the recession. From skimming devices on chip-and-PIN terminals to cameras filming people entering their PINs, there are many ways that corrupt staff can defraud customers paying for goods."
Police investigate ATM scam in Gananoque - www.thewhig.com - 08/08/09 - "Police in Gananoque are investigating after the town was hit by an ATM skimming scam on the long weekend. At least two downtown banks were hit by thieves who used machines able to transfer the details of a person’s bank card and their personal identification number, allowing the card to be cloned and used to empty a person’s account. It is a technique known as “skimming.” "
Webinar: Enterprise Payment Security 2.0 - www.cybersource.com - 08/07/09 - "Maintaining payment security doesn't require adding even more proverbial locks and bolts to your infrastructure. In fact, you can secure your payment process – including complying with PCI-DSS standards – with less cost, complexity, and time."
2009 Annual Study: Enterprise Encryption Trends - www.encryptionreports.com - 08/07/09 - "85% of U.S. organizations have been hit by one or more data breaches within the last twelve months - according to the latest Ponemon Institute research on Encryption Trends. This year's study surveyed 997 IT and security practitioners and identifies the trends in enterprise encryption planning strategies, budgeting and spending, deployment methodologies and impact on data breach incidents."
MasterCard Becomes The First Card Brand To Publish PCI Fines - www.storefrontbacktalk.com - 08/07/09 - "MasterCard has become the first card brand to publish its PCI fines and related requirements, a move that could be the latest signal that MasterCard wants to step out of the PCI shadow of its larger rival, Visa. The dollars themselves do not reflect a radical change, although they do include some healthy increases."
Beware of ATM skimming - abclocal.go.com - 08/05/09 - "It's a high-tech heist that sounds like a scene from a James Bond movie. Crooks are using high-tech equipment at one ATM to steal from hard-working Houstonians. It's far from new, but it's hitting at least one local woman in the pocket."
Old-fashioned crooks rip off Bellevue ATM users - www.seattlepi.com - 08/05/09 - "Forget high-tech heists. Crooks reverted to some old-fashioned techniques to rip off ATM users over the weekend. At a downtown Bank of America, thieves clogged the card reader with X-ray film, then taped a poorly-written post-it note on the ATM machine reading, "If for any technical reason you card is retained - please enter you pin three times and press 'cancel."'"
The Dangers of Over-Reliance on Compliance - www.csoonline.com - 08/05/09 - "Have you noticed that many of the firms suffering high profile, serious, and expensive information security breaches have nonetheless been 'compliant' with certain laws, regulations, or standards? Consider the case of credit card processor Heartland Payment Systems, which recently suffered the unauthorized disclosure of over 100 million credit card and debit card transactions. The firm handles the transactions of over 175,000 merchants. Hundreds of banks have already had to reissue cards as a result of the breach."
How to Ensure Your Company's PCI DSS Compliance - www.eweek.com - 08/05/09 - "Complying with the Payment Card Industry Data Security Standard ensures that your company can continue to do business with the Payment Card Industry, but it doesn’t ensure that your company will be secure as well. Companies don’t want to be in a position where they could have prevented a cybercrime if they had only gone beyond the minimal amount of work to truly become PCI-compliant."
U.S. magnetic stripe credit cards on brink of extinction? - www.creditcards.com - 08/04/09 - "While Europe and Canada are steadily moving ahead with widespread adoption of chip-and-PIN credit cards, U.S. magnetic stripe cards are being left behind in the dust. The European Payments Council (EPC) recently announced it's considering a ban on magnetic stripe cards within the next couple of years, raising the question of when U.S. credit card merchants will make the switch."
Secret Service Checks Las Vegas ATMs - www.thenewamerican.com - 08/04/09 - "PC World reported on August 3 that the U.S. Secret Service is investigating some ATM machines in Las Vegas that are subtracting money from a user’s account without dispensing any cash. Ironically, the problem was first reported by one of the presenters from a Defcon hacker conference being held in Vegas."
Security Analyst: Las Vegas ATMs May Have Malware - www.pcworld.com - 08/03/09 - "The U.S. Secret Service said on Monday it is investigating a group of ATM machines in Las Vegas that are debiting people's accounts but not dispensing cash. The case came to light after Defcon hacker conference presenter Chris Paget tried to withdraw $200 on Sunday from his account at the Rio All-Suite Hotel and Casino."
One in seven Aussies are card fraud victims - www.securecomputing.net.au - 08/03/09 - "A survey commissioned by ACI Worldwide has found that more than 15 percent of Australian credit and debit cardholders have been victims of bank card fraud in the past five years. ACI Worldwide, a provider of application software for electronic payments, surveyed 2409 people globally, of which 310 responded from Australia."

July 2009

TV Lamps Online Merchant Suffers Data Breach - news.softpedia.com - 07/30/09 - "DLP Lamp Source, a distributor of replacement DLP and LCD lamps, is in the process of notifying its customers of a data-breach incident, which exposed their personal information and credit-card details. The company notes that the administration portion of its website was compromised by unknown attackers."
Free parking for all? Smart parking meters hacked - www.cnn.com - 07/30/09 - "Scofflaws could hack the smart cards that access electronic parking meters in large cities around the United States, researchers are finding. The smart cards pay for parking spots, and their programming could be easily changed to obtain unlimited free parking. It took researcher Joe Grand only three days to design an attack on the smart cards."
Bulgarian skimmer arrested in the United States - www.sofiaecho.com - 07/30/09 - "Police in the US have apprehended a 34 year old Bulgarian citizen who was thought to be a member of a Bulgarian-run skimming gang which specialised in kitting out ATM machines with electronic surveillance equipment used gain access to bank accounts of unsuspecting customers, Bulgarian news agency BTA said on July 30 2009."
Bank customer finds credit card skimmer in ATM machine - www.midhudsonnews.com - 07/30/09 - "Sullivan County Sheriff’s detectives are investigating who placed a credit card skimming device in an ATM machine at a Bank of America branch in White Lake. The perpetrator placed the two-piece device, a scanner and a camera to read the customer punching in his or her ID numbers, in the credit card kiosk."
Aite Report Says There Is No Easy Cure for Threats to Card Security - www.cutimes.uk - 07/29/09 - "There’s no vaccine against card data security breaches in the United States, and the prognosis for this persisting ailment shows there is no fast cure, according to a recent report, which also said it would cost an estimated $100 billion to fix card security in the U.S. Merchants are in the most vulnerable position in the card data security realm and malware, counterfeit card fraud and card-not-present fraud currently top the list of threats."
Cops warn of high-tech debit scam (Canada) - news.bbc.co.uk - 07/29/09 - "Police charged three men after a card skimming device was found attached to a cash machine at a Kent supermarket. The device, which police described as a "Lebanese loop", is used to trap cards in bank cash machines."
Cops warn of high-tech debit scam (Canada) - www.windsorstar.com - 07/29/09 - "Police held a press conference on Wednesday to display a PIN pad officers seized from a Windsor retail store on July 20. According to police, criminals at some point tampered with the PIN pad, equipping it with their own computer chip and a Bluetooth transmitter. The store had no knowledge of this."
Brigham Young University to test new NFC microSD solution - www.nearfieldcommunicationsworld.com - 07/29/09 - "Students at BYU-Idaho will begin testing an NFC microSD solution from Rfinity in September. A new microSD-based NFC solution from US start-up Rfinity is to undergo its first field trial at Brigham Young University-Idaho in September."
Counterfeit credit card ring busted - abclocal.go.com - 07/29/09 - "The District Attorney of Delaware County announced the bust of a major counterfeit credit card ring on Wednesday. Authorities believe the man behind the alleged ring is Kevin Henson, 36, of Chester. Ylana Starks, 30, his girlfriend, and an acquaintance, Donald Mewha, 59 were also charged."
BlackHat USA 2009: Russian's Organized Crime Heritage Paved Way For Cybercrime - www.crn.com - 07/29/09 - "Russia's longstanding history with organized crime has nurtured a current crop of sophisticated cybercrime organizations dedicated to information stealing and political 'hacktivism.'"
Credit card breaches reported at two companies with over half a million users possibly affected - www.scmagazineus.com - 07/27/09 - "Web hosting firm Network Solutions on Friday announced that, despite its being PCI compliant, a breach had compromised approximately 573,928 individuals' credit card information. Network Solutions discovered unauthorized code on its servers used to support thousands of e-commence merchants' websites, Susan Wade, director of communications at Network Solutions told SCMagazineUS.com on Monday."
Credit card breaches reported at two companies with over half a million users possibly affected - www.scmagazineuk.com - 07/27/09 - "Over half a million credit card details may have been compromised following a security breach at more than 4,000 ecommerce websites. Network Solutions, which hosts the websites, announced that it had found malicious code on servers supporting some of its customer's online stores."
Credit card scam hits Baton Rouge area - www.wafb.com - 07/27/09 - "There is just one more way scammers are getting their hands on your money. It's called "skimming" and four people are behind bars in Port Allen, accused of stealing credit card numbers, and using them on a local business. West Baton Rouge Sheriff Mike Cazes says ATM machines rigged with a camera, and what's called a "skimmer" could easily steal your credit card number each time you swipe."
Network Solutions data security breach exposes a half-million credit card numbers - searchsecurity.techtarget.com - 07/27/09 - "Hosting company and domain registrar Network Solutions LLC said malware planted on Web servers compromised more than a half million credit card accounts belonging to customers of its e-commerce merchants. Herndon, Va.-based Network Solutions disclosed the data security breach late Friday."
PCI DSS: What Do You Know, Where Do You Stand? - www.ismretail.com - 07/27/09 - "For a couple of months spanning the first and second quarters of this year, Integrated Solutions For Retailers surveyed its subscribers — hundreds of retailers from many segments, ranging the gamut from small and regional chains to tier-one enterprises — on their perceptions of the PCI DSS (Payment Card Industry Data Security Standard)."
Key Management - The Hype and the Reality - www.thales.com - 07/26/09 - "It's said that encryption is easy (or at least easier) than key management, which the hard piece. But what does key management mean to you? Register for this 45 minute webcast featuring Richard Moulds, author of “Key Management for Dummies”, and EVP Product Strategy at Thales (formerly nCipher)."
U.S. Senate’s Data Breach Bill Full Of Flawed Assumptions - www.storefrontbacktalk.com - 07/26/09 - "The chairman of the powerful U.S. Senate Judiciary Committee, Sen. Patrick Leahy, is trying—after two failed attempts—to get his data breach bill made into law. But even though his bill would answer the pleas of many retailers by creating one single national standard for handling major retail data breaches, the bill’s details don’t deliver the comprehensive relief promised."
Network Solutions Says Hackers Accessed 573,000 Card Accounts - www.washingtonpost.com - 07/25/09 - "Web services provider Network Solutions disclosed Friday that hackers broke into its servers and stole information on more than 573,000 debit and credit card accounts from its customers over the past three months. The Herndon firm discovered in early June that unknown attackers hacked into servers that provide e-commerce services such as Web site hosting and payment processing to at least 4,343 small to mid-size online stores -- about half of its customer base."
Massachusetts Says Encrypt It All! - cio.ulitzer.com - 07/24/09 - "Protecting personal data, like backup and disaster recovery, can be hard to get people excited about. Although we see the problem plainly and solutions are widely available, it can be hard to convince business management that technologies like encryption are worth the investment. But new regulations promise to change all that: Massachusetts and Nevada have enacted data protection laws that require encryption of personal information in transit."
Two Winnipeggers accused in alleged fraud ring - www.winnipegsun.com - 07/24/09 - "Three B.C. residents and two Winnipeg women are accused in a credit card scam which saw them lead a short-lived lavish lifestyle of high-end hotels, limos, and expensive things, city police say. Police said the suspects used stolen and forged credit cards to pay for hotel rooms, limo rides, jewelry, electronics, tools, DVDs, computer equipment, meals, and airline tickets to fly friends in and out of Winnipeg between June 18 and July 16."
Credit card data leaked from Alico Japan - news.yahoo.com - 07/24/09 - "The Japanese arm of global insurer Alico said Friday that credit card data of some 110,000 customers could have been leaked, and that fraudulent purchases may have been made in over 1,000 cases. The American Life Insurance Co., affiliated with troubled US giant American International Group (AIG), said it was first alerted last week by credit card companies about the suspected cases among its policy-holders."
Queensland's Gold Coast hit by Bulgarian skimmers (Australia) - www.sofiaecho.com - 07/22/09 - "A Bulgarian-based criminal group is suspected to be behind the scam which had an ATM machine kitted out with a device to illegally record card details, in Queensland's Gold Coast. Reportedly, at least 80 000 Australian dollars were siphoned from Gold Coaster's bank accounts in an international card-skimming operation that Australian authorities believe originated in Bulgaria, the www.goldcoast.com.au has reported."
How Dealers Should Deal with PCI Compliance - retailpayments.blogspot.com - 07/22/09 - "There were some interesting comments and ideas presented by Bob Goldberg, General Counsel of the RSPA, during the PCI Panel discussion I moderated in Las Vegas last week. After thinking about them, I want to expand on his comments and discuss what dealers should be doing with regards to making their customers PCI compliant."
2 arrested in alleged ATM skimming scheme - www.baltimoresun.com - 07/22/09 - "Multiple charges have been filed against two men suspected of using debit card numbers stolen from a PNC Bank automated teller machine in Frederick, police said today. Mihai Ittu, 39, and Stefan Iancu, 31, were arrested in Oklahoma, where they face similar charges, Frederick police Lt. Shawn B. Martyak said."
Police: Skimmers scam debit card info at NC ATMs - www.wmbfnews.com - 07/22/09 - "Police in Lumberton are asking residents to pay close attention to their bank accounts after two people reported having their bank accounts accessed without the use of a debit card. Lt. Johnny Barnes with the Lumberton Police Department says the two reports came from people who had their debit cards in their possession."
Clarifying, Somewhat, The PCI Wireless Security Standards - www.storefrontbacktalk.com - 07/22/09 - "The Wireless Special Interest Group of the PCI SSC has just issued a set of guidelines to help companies ensure that their wireless networks are secure and effectively segmented to limit the potential for damage to the cardholder data environment if a portion of the wireless network should be compromised."
NBC TODAY Show Avoiding Debit Card Skimming - NBC - 07/22/09 - "Lea Thompson from Retirement Living TV’s “Fraud Squad” explains a sophisticated new way crooks are targeting your debit card information."
Credit-Card Fraud Spikes - www.connectionnewspapers.com - 07/22/09 - "As a waiter at the Red Lobster in Alexandria, Arlington resident Kevin Maples developed a way to trick customers to leave their credit cards behind. After charging the bill, Maples said, he would wrap the receipt around the card in a way that obscured it from view."
Metro confiscating high number of skimming devices (Las Vegas) (With Video) - www.ktnv.com - 07/21/09 - "A high-tech way to steal your most personal information is skyrocketing in the valley. Metro is confiscating more skimmers than ever. The devices illegally record the information from the back of your financial card. They're most commonly found at gas pumps, ATM machines and in restaurants. Metro says over the past three months alone, officers have confiscated about 75 skimmers."
Debit-Card Security Plan Worries Gas Pump Owners - www.nacsonline.com - 07/21/09 - "To comply with Visa’s debit-card standard that affects gasoline equipment, retailers face costly hardware upgrades at their pumps, including new PIN processors, the Arkansas Democrat-Gazette reports. The new standard, which for Visa transactions takes effect July 1, 2010, will add roughly $3,000 per pump, said Nick Siddique, an Arkansas Shell marketer."
Nevada’s Security of Personal Information Law Post One: The Basics of Nevada’s Security Law and Destruction of Records - www.infoseccompliance.com - 07/21/09 - "The following FAQs cover “the basics” of Nevada’s Security of Personal Information Law, as well as the data destruction obligations of the law."
Who is Minding the Legal Risk around PCI? - retailpayments.blogspot.com - 07/21/09 - "David J. Navetta, Esq., CIPP, managing member InfoSecCompliance, LLC published an excellent article the April 2009 issue of the ISSA (International Systems Security Association) Journal titled "Who is Minding the Legal Risk around PCI?". The article reviews the legal framework for PCI related compliance and lawsuits and should be a must read for anyone responsible for PCI compliance for their company."
Companies offer to pay breach fines - www.scmagazineus.com - 07/21/09 - "Two credit-card payment processors are offering to cover merchants' fines and penalties in the event of a data breach. However, the two companies, Heartland Payment Systems and Mercury Payment Systems, have different requirements that must be met before a merchant would qualify for coverage. For Mercury, the retailer would have to prove it was Payment Card Industry Data Security Standard-compliant (PCI DSS) at the time of a breach."
Industry group releases software integrity framework - www.scmagazineus.com - 07/21/09 - "A nonprofit dedicated to securing software has released an industry-first model for helping to ensure criminals cannot sabotage the supply chain process. The Software Assurance Forum for Excellence in Code (SAFECode) on Tuesday released "The Supply Chain Integrity Framework," a 14-page document that defines software integrity, chronicles its challenges and provides a comprehensive list of principles that should be applied to the commercial software supply-chain process."
Security Checks for Less - www.risnews.com - 07/20/09 - "Merchants must vet employees and contractors who have any contact with cardholder data according to PCI Compliance requirement 12.7. Increasingly, large retailers are asking their solution providers to assure such checks for those installing and maintaining POS systems. With theft of card data a growing issue, it's a no-brainer that you wouldn't want the wrong people working on systems that process this sensitive data."
Impact of Non-Compliance with Visa’s 7/1/10 Compliance Date - retailpayments.blogspot.com - 07/20/09 - "There has been much confusion over the impact to a retailer who does not meet the Visa July 1, 2010 mandates for payment security. To review, there are three different mandates from Visa that must be met by US merchants by July 1, 2010."
Mercator End to End Encryption Report - retailpayments.blogspot.com - 07/20/09 - "Mercator Advisory Group recently published “End to End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance.” The report was written by George Peabody, Principal Analyst for Mercator and was published in June 2009."
MasterCard Clarifies Remote Key Injection Requirements - retailpayments.blogspot.com - 07/20/09 - "A month ago MasterCard issued a bulletin about how and what terminals can be upgraded to TDES keys for debit PIN encryption. The bulletin seemed to indicate that Remote Key Injection would not be allowed as a way to upgrade terminals to TDES keys."
FTC ready to set data safeguards - www.azcentral.com - 07/19/09 - "When it comes to identity theft, ignorance is no longer bliss. Many businesses that handle sensitive personal information about customers, patients, employees, suppliers and others soon will have to develop plans to safeguard the data and resolve problems - or face the consequences."
Verizon Business reveals details of Encryption Key Compromises - retailpayments.blogspot.com - 07/19/09 - "Verizon Business recently held a webinar titled “Don’t be the next victim on PIN-Based attacks.” In the webinar, they revealed that there have been several PIN breaches, as well as the details behind the most common attacks against encrypted debit PIN’s."
FTC ready to set data safeguards - www.azcentral.com - 07/19/09 - "When it comes to identity theft, ignorance is no longer bliss. Many businesses that handle sensitive personal information about customers, patients, employees, suppliers and others soon will have to develop plans to safeguard the data and resolve problems - or face the consequences."
PCI DSS: What Do You Know, Where Do You Stand? - www.ismretail.com - 07/19/09 - "For a couple of months spanning the first and second quarters of this year, Integrated Solutions For Retailers surveyed its subscribers — hundreds of retailers from many segments, ranging the gamut from small and regional chains to tier-one enterprises — on their perceptions of the PCI DSS (Payment Card Industry Data Security Standard)."
Debit-card security plan worries gas pump owners - www.nwanews.com - 07/19/09 - "New security requirements from credit-card companies that gas stations and other retailers upgrade equipment to protect consumer information will prove costly to merchants. The new standards, meant to protect against theft of credit- and debit card information, are part of a series of upgrades recommended by the Payment Card Industry Data Security Council, which was formed three years ago by the five major credit-card companies."
Four million British identities are up for sale on the Internet - technology.timesonline.co.uk - 07/18/09 - "The identities of more than four million Britons are being offered for sale on the internet, The Times has learnt. Highly sensitive financial information, including credit card details, bank account numbers, telephone numbers and even PINs are available to the highest bidder."
Millions stolen in SMS banking scam (South Africa) - www.iol.co.za - 07/17/09 - "Gauteng police are working with Vodacom to trace the victims of a multimillion-rand SMS banking authentication scam, described by a top security firm as the first of its kind. Police spokesperson Superintendent Lungelo Dlamini said on Thursday that members of the Joburg Commercial Crimes Unit were liaising with commercial crime units across the country to determine how many people had been affected by the rip-off."
Card Skimmer At Ojai Valero - www.ovnblog.com - 07/17/09 - "The Ventura County Sheriff’s Department’s Ojai Station Detectives are investigating the use of fraudulent credit cards. Between May 1, 2009 through June 30, 2009, unknown suspect(s) placed “skimmers” on credit card readers on the gas pumps at Valero Gas Stations in Ventura and Santa Barbara Counties. Criminals have been attaching “skimmers” to obtain account information and create fraudulent cards with the stolen account numbers."
Credit Cards - Three brothers jailed for card fraud - www.onlyfinance.com - 07/17/09 - "Three brothers have been jailed for a total of twelve years for running a debit and credit card making factory. The three pleaded guilty to conspiracy to defraud at Southwick Crown Court. Police from the specialist card squad where searching the office space where they found equipment for skimming and creating new cards."
Debit card skimming gang targets Coast Capital (Canada) - www2.canada.com - 07/17/09 - "Debit card holders in Richmond are being warned to be on the lookout after it emerged that hundreds of bank customers -- including off-duty local RCMP officers -- were the victims of a skimming gang. The card skimming gang targeted ATMs at two Coast Capital Savings branches, both on No. 3 Road, at the Broadmoor Shopping Mall and at Richmond Centre."
The Redditch Standard - Cash machine users warned after scammers take £800 from account - www.redditchstandard.co.uk - 07/17/09 - "A FATHER of two has warned cashpoint users to check their statements after scammers using a skimming device stole £800 from his account. The Redditch resident, who asked to remain anonymous, used the cash dispenser at the Co-op store, Evesham Road in the Crabbs Cross area on Thursday, June 25."
Encrypting Your Enterprise’s Data Is Crucial To Preventing Costly Data Breaches - www.processor.com - 07/17/09 - "When it comes to storage encryption, the primary concern is protecting data as it leaves the trusted environment of your data center. There are three primary cases when this occurs; users taking data out of the environment on USB memory sticks, external hard drives, and laptops; data being moved offsite for long-term storage or protection from disaster; and when storage systems are decommissioned."
Citibank Users Information Breach (Greensboro, NC) - www.digtriad.com - 07/16/09 - "The company wants to warn card holders that a merchant's database was compromised which may put your account at risk. Citicard will issue a new card and account number to affected customers. You can still use your current card until your new one arrives. Remember, you should always check your credit card and also your bank statements every month. If you spot any unusual activity, immediately call your bank and report it."
When States Attack, Retailers Relax - www.cbsnews.com - 07/16/09 - "When a business owner gets a call from that state's attorney general's office, saying that a probe is about to be launched investigating that business, panic is a typical response. But when that call came to the offices of TJX, the $19 billion owner of retail chains Marshalls, T.J. Maxx, HomeGoods, A.J. Wright and others, panic was not necessary."
'Dynamic' security system developed as cash card fraud spirals out of control - www.dailymail.co.uk - 07/16/09 - "The cost of plastic card fraud in Britain is spiralling out of control, forcing banks and credit card companies to develop a new generation of 'dynamic' cards with constantly-changing passwords. Card fraud cost the UK £610million last year - up by a massive 43 per cent in just two years - and more than three quarters of all offences now involve internet, telephone or mail order shopping where chip-and-pin technology currently offers no protection."
Card skimming scam at local ATM - www.hometownannapolis.com - 07/16/09 - "City police are searching for two men who apparently altered a local bank's ATM machine to steal credit card information earlier this month, a growing crime that should make all cardholders wary. Police have received photographic evidence of a pair of men placing a "skimmer" and camera on the Bank of America walk-up ATM on Church Circle July 5, and removing it less than two hours later."
2 people sought in ATM theft - www.baltimoresun.com - 07/16/09 - "Annapolis detectives are looking for two people who are believed to have installed a skimming device on an automated teller machine in June, a police spokesman said. Investigators reviewing bank fraud reports noticed that four people had stated that their ATM cards had been used to make online purchases, said Officer Ray Weaver, an Annapolis police spokesman."
UK Brothers Sentenced for Making Fake Credit, Debit Cards - www.pcworld.com - 07/15/09 - "Three brothers were sentenced to prison on Tuesday in a London court for creating counterfeit credit and debit cards, defrauding victims of more than £600,000 (US$978,000), according to the Metropolitan Police."
“What’s an Acquirer?” And Other Noteworthy SME Questions - www.storefrontbacktalk.com - 07/15/09 - "Small business owners may be too stupid to ever be PCI compliant. I recently participated in a webinar, a live seminar and a survey all aimed at small business, and all part of separate efforts aimed at building awareness about the importance of PCI compliance to small to medium size enterprises (SMEs)."
Visa Sets Software Security Deadlines - www.banking-business-review.com - 07/15/09 - "Visa has announced global requirements for financial institutions to ensure their merchant customers and agents use secure payment applications, that do not store prohibited data elements and adhere to the Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS)."
PCI council publishes wireless security guidelines for payment cards - www.networkworld.com - 07/15/09 - "Any business accepting credit and debit cards -- and using or considering wireless LANs -- should carefully review the recommendations for use of 802.11 wireless access points that are detailed in the guidelines issued Wednesday by the Payment Card Industry Security Standards Council."
Some retailers are moving toward payment security 2.0, expert says - www.internetretailer.com - 07/15/09 - "While many retailers continue to comply with the payment card industry data security standard, some merchants are moving their payment data to systems outside the scope of the 12 in-depth guidelines of the standard, commonly called PCI, says Dave Glaser, vice president of global professional services at CyberSource Corp., a provider of payment processing and security technology and services."
Police Warn of Suspected ATM Fraud in Annapolis - www.wjla.com - 07/15/09 - "Annapolis police are warning residents about a rash of fraud stemming from suspected ATM skimmers. Investigators have released surveillance photos of two men they suspect of installing the skimming devices on a Bank of America ATM at 10 Church Circle in Annapolis."
Teen gets probation for credit card thefts - www.dailyherald.com - 07/15/09 - "A Wheeling teenager will spend the next 30 months on felony probation after he pleaded guilty to skimming credit card information from Home Depot shoppers last December. Siamion Kuzmin, of the 200 block of Woodmere Lane, was sentenced Tuesday in a Rolling Meadows courtroom after pleading guilty to five counts of identity theft."
Fraud hits local customers of online retailer Nashbar - www.bikeportland.org - 07/14/09 - "Northeast Portland resident Gabriel Tiller is sort of a bicycle renaissance man. He has won a national tall-bike jousting competition, taken top prize at the Zoobomb Century, earned a spot on the gravity-biking podium at the Maryhill Festival of Speed, he likes to do bike touring, and he has recently taken to mountain biking."
Pepper Spray-Armed ATM Misfires, Shoots Workers (South Africa) - www.wired.com - 07/13/09 - "A South African bank has outfitted its ATMs with pepper spray to prevent criminals from bombing or tampering with the machines. But the system still has some bugs: One of the machines released its stinging payload on three maintenance workers last week."
Underground cybercrime economy fuelling growth of data-stealing malware - www.business24-7.ae - 07/13/09 - "An underground cybercrime economy driven by profit-seeking criminal networks has led to stealing of personal information from compromised networks and PCs, according to a security report. Data-stealing malware has been in the limelight in Q1 2009, according to the latest data from TrendLabs, security company Trend Micro's global network of research, service and support."
Security Experts Start to Look at Data Encryption for Smart Phones - www.digitaltransactions.net - 07/13/09 - "As the momentum behind mobile payments gathers strength, some technology experts are starting to consider so-called smart phones—which make mobile payments easy—to be devices in need of encryption. That’s one finding in an annual study out Monday about encryption, a hot topic in the payment card industry nowadays because of a rash of data breaches. "
LexisNexis data breach linked to New York mob family - www.bizjournals.com - 07/13/09 - "LexisNexis has incurred another data breach, and federal authorities say this time it’s at the hands of the Bonanno crime family. The New York-based company — which has 3,000 employees in the Dayton area — has sent 13,000 letters to former customers whose personal data may be at risk, the company said in a statement."
CIOs Talk Tech - www.csnews.com - 07/13/09 - "Will the PCI deadline of July 2010 stand for PIN Pads at the pump, and if it does, will retailers realistically be ready? Are loyalty programs working to keep customers loyal? How are Business Intelligence solutions -- one of the technologies seeing a huge surge in adoption according to Convenience Store News' 2009 Technology Study -- improving the bottom line?"
MasterCard seeks to clarify remote POS security upgrades policy - www.infoworld.com - 07/10/09 - "MasterCard today clarified a June 15 bulletin about the use of remote key injection (RKI) services for upgrading encryption protocols on merchants' point of sale (POS) terminals, saying it was not an edict. The bulletin was interpreted by some as a signal that MasterCard was disallowing the use of RKI services as a way to do the upgrade, instead requiring merchants ship terminals to secure offsite locations for upgrades."
An Information Gap Sparks a Dust-Up over Remote Key Injection - www.digitaltransactions.net - 07/10/09 - "Is MasterCard Inc. putting the kibosh on a new technology called remote key injection that makes it easier to enhance the security of point-of-sale payment terminals? That’s the impression some payments executives got after reading an online Computerworld article Wednesday that said MasterCard was insisting on manual injection of security keys into terminals. But MasterCard and an executive with a major POS terminal maker say that’s not really the case."
PCI Compliance: Websites and Hosting Service Providers Can't Afford to Ignore It - www.seekingalpha.com - 07/09/09 - "PCI – What is it? We can only begin to imagine the losses, liability and other consequences resulting from unauthorized access to credit card information, which, unfortunately, happens all the time. To attempt to deal with this problem, the credit card industry developed the Payment Card Industry (PCI) Data Security Standard (DSS) or PCI DSS to ensure that companies that process, store or transmit credit card information maintain a secure environment."
Firms advised to boost credit card data protection - www.compareandsave.com - 07/09/09 - "Hacker attacks seeking out credit card numbers and other sensitive information from company databases are becoming more common, research from The Ponemon Institute has revealed. The study, released by the PGP Corporation, shows that 70% of UK firms have suffered some form of data breach over the past 12 months. This is an increase from the 60% who said the same when the survey was conducted the previous year."
Only a "digital Pearl Harbour" can save us - www.securecomputing.net.au - 07/09/09 - "A tidal shift is needed on co-operation. The Australian Federal Police believe that only a "catastrophic attack" by hackers on the national information infrastructure or a Big-Four bank brought to the brink of collapse will catalyse cross-border cybercrime co-operation. The national manager of the Australian Federal Police high tech crime centre, Neil Gaughan, told an e-security panel in Sydney today in Sydney that the borderlessness of electronic crime was a problem for law enforcement."
Former Teen Hacker’s Suicide Linked to TJX Probe - www.wired.com - 07/09/09 - "A Miami man who achieved fame as a teenager for hacking NASA and the Pentagon took his own life last year after Secret Service agents accused him of being part of the conspiracy responsible for the largest identity theft in U.S. history, his family says."
Gang used six skimmed transaction cards to embezzle Rs 0.8m (Pakistan) - www.hackinthebox.org - 07/09/09 - "The Federal Investigation Agency (FIA) has arrested Khawaja Muhammad Usman Ghani, the manager of a private bank, and others for allegedly hacking into various banks’ security system and withdrawing account-holders’ money using counterfeit debit and ATM cards."
Credit card scammers target Malmö drivers (Sweden) - www.thelocal.se - 07/09/09 - "Dozens of drivers who refueled at petrol stations in southern Sweden have been caught up in a credit card scam, with more than 40 reports pouring in on Thursday alone. Police first received word about a new type of ‘skimming’ operation on Tuesday."
Lessons from the Data Breach at Heartland - www.businessweek.com - 07/08/09 - "Robert Carr was settling in for the evening in a New York hotel on Jan. 12 this year when at 10:30 p.m. he got a phone call that every financial services executive dreads. Carr, CEO of Heartland Payment Systems (HPY), learned that intruders might have hacked into the company's computer network. "
MasterCard halts remote POS security upgrades - www.computerworld.com - 07/08/09 - "In a purported second major security change in recent weeks, MasterCard has decided to disallow merchants' use of remote key injection (RKI) services to install new encryption keys on point-of-sale (POS) systems, says a Gartner analyst. Such a decision would mean that merchants hoping to upgrade the encryption on their POS terminals in an automated fashion over their networks wwould instead need to continue doing it manually and one terminal at a time in a secure off-site facility."
Union says bus co must take some blame (New Zealand) - www.storefrontbacktalk.com - 07/08/09 - "As Heartland inches along to officially rolling out its version of end-to-end encryption, the processor is stealing a marketing page from tax return firm H&R Block. It’s preparing to guarantee retailers that if they’re breached while using Heartland’s service, Heartland will cover the costs of any fines and penalties. Whether or not the risky approach will work is an interesting issue, but you’ve got to love the psychological dynamic at play here."
Union says bus co must take some blame (New Zealand) - www.newstalkzb.co.nz - 07/08/09 - "Wellington's bus company is being told it is lucky so few drivers participated in a scam which saw it ripped off to the tune of tens of thousands of dollars. Nine Go Wellington drivers have been fired and a complaint has been laid with police over the rort, which allegedly lasted for a number of years. It is reported the stealing involved some drivers skimming a percentage of fares."
70% of UK Organisations Hit By One or More Data Breach Incidents Within Last Twelve Months (UK) - news.prnewswire.com - 07/08/09 - "PGP Corporation, a global leader in enterprise data protection, has announced the results of the third annual study by The Ponemon Institute, identifying the steps UK organisations are taking in order to safeguard their confidential data. The 2009 Annual Study: UK. Enterprise Encryption Trends study, which polled IT security professionals at 615 enterprises and public sector organisations, found that 70% of UK organisations have been hit by at least one data breach incident within the last year, up from 60% in the previous year."
Third member of Peninsula credit card scam trio gets two years in prison - www.insidebayarea.com - 07/07/09 - "A South San Francisco woman has been sentenced to two years in state prison for her role in a scam that bilked local credit card holders out of thousands of dollars, a prosecutor said. Iris Singh, 28, used fake credit cards made by her accomplices in order to buy merchandise and gift cards, said Chief Deputy District Attorney Steve Wagstaffe."
Heartland Tests End-to-End Encryption; Gets Good Reviews - www.bankinfosecurity.com - 07/06/09 - "In the first step of its move toward end-to-end encryption, Heartland Payment Systems (HPY) last week completed the first phase of its pilot project. Heartland, the sixth biggest payments processor, earlier this year announced that it was hit with a data breach, wherein credit card numbers and debit card information were taken by hackers who broke into the payment processor's internal network."
Card-cloner Adrian Pleseru jailed for his role in an international skimming scam - www.dilloninvestigates.com - 07/06/09 - "A key player in a sophisticated credit-card fraud gang was jailed this week for four years. Adrian Pleseru pleaded guilty after being caught red-handed with equipment to clone credit cards during a Garda raid on his Cabra flat. The 28-year-old Romanian dad-of-one was caught last April after a Garda operation was set up to target a highly-organised pickpocket and card skimming scam."
Skimmers claim another victim (UK) - www.eveningtelegraph.co.uk - 07/06/09 - "A Dundee woman has had hundreds of pounds stolen from her bank account by criminals who used skimming technology to clone her bankcard (writes April Mitchinson). The woman, who asked to be known only by her first name, Louise, discovered the unauthorised withdrawals when she was told she had exceeded her daily withdrawal limit and checked her balance at the bank."
Skimmers claim another victim (UK) - www.eveningtelegraph.co.uk - 07/06/09 - "A Dundee woman has had hundreds of pounds stolen from her bank account by criminals who used skimming technology to clone her bankcard (writes April Mitchinson). The woman, who asked to be known only by her first name, Louise, discovered the unauthorised withdrawals when she was told she had exceeded her daily withdrawal limit and checked her balance at the bank."
Portaltech questions the strength of the Payment Card Industry (PCI) standard (UK) - www.responsesource.com - 07/06/09 - "Portaltech, a leading UK eCommerce Systems Integrator and Consultancy, suggested today that the PCI standard has not yet accomplished what it set out to achieve. The PCI Data Security Standard (DSS) is a worldwide information security standard put together by the Payment Card Industry Security Standards Council (PCI SSC)."
Is Nevada's New Privacy Law a 'Game-Changer?' - www.bankinfosecurity.com - 07/06/09 - "Should individual states mandate that businesses comply with the Payment Card Industry's Data Security Standard (PCI DSS)? The answer is "yes," according to Nevada, which has passed a new law that, as of next year, requires businesses to comply with PCI when collecting or transmitting payment card information. Nevada is the first state to mandate full PCI compliance for businesses. Minnesota in 2007 incorporated only a portion of PCI in its Plastic Card Security Law."
Men caught with stolen cards (South Africa) - www.thestar.co.za - 07/05/09 - "Five men were caught with 90 stolen debit and credit cards they allegedly used to withdraw money from automated teller machines in Ritavi, Limpopo police said on Sunday. The five men, arrested on Saturday night, formed part of a syndicate that allegedly tampered with ATMs in a bid to trap people's cards and retrieve them later, Superintendent Mohale Ramatseba said in a statement."
Woman criticises supermarket after 'card cloning' - www.getsurrey.co.uk - 07/02/09 - "A MOTHER who claims she had her debit card cloned at the Sainsbury’s store in Godalming has blasted the supermarket giant for not doing more to prevent the same happening to other customers. Ashley Gordon said she was told by her bank that the cash machine outside the store in Woolsack Way was notorious for people having their card details stolen."
GARTNER: FUTURE IT SECURITY JOBS TO FOCUS ON RISK MANAGEMENT STRATEGY - go.techtarget.com - 07/01/09 - "What does the future of information security threats and technologies look like, and how will that affect roles and staffing in the IT or IT security organization? If experts at the Gartner Information Security Summit here are correct, IT security jobs will become less about security technology and much more about risk management strategy, as threats either max out, in one scenario, or become so complex that security jobs will change nonetheless."
Bike Nashbar warns customers of security breach - www.citizen-times.com - 07/01/09 - "Discount retailer Bike Nashbar is calling customers this morning to warn them that their credit card information may have been stolen. A Citizen-Times editor received a call from a Nashbar customer service agent explaining that the company's computer servers had been hacked and credit card information was 'compromised.'"
Card Data Security: In Search of a Technology Solution - www.aitegroup.com - 07/01/09 - "A new report from Aite Group, LLC reveals stakeholder perceptions of current card data security issues, an overview of their responsibilities and a look at what is required to fix card data security. Based on in-person interviews conducted by Aite Group with 29 heads of risk management and other bank executives, the report provides insights from key decision-makers in the card payments risk and security realm."

June 2009

NATIONAL DATA PRIVACY LAW COMING; BIG BROTHER, ALREADY HERE - go.techtarget.com - 06/30/09 - "Momentum for a federal electronic data privacy law that would pre-empt the 44 state data breach notification laws already on the books and be more in line with European data privacy laws seems to be growing. "If you work for an information broker, you definitely should be paying attention to this," said Miriam Wugmeister, who chairs the global privacy and data security practice at law firm Morrison & Foerster."
Juniper pulls ATM hacking presentation from Black Hat - searchsecurity.techtarget.com - 06/30/09 - "A Juniper Networks Inc. security researcher who planned to demonstrate a way to hack the software of an ATM at the Black Hat Briefings in Las Vegas had his presentation pulled at the request of the ATM vendor.Barnaby Jack's"Jackpotting Automated Teller Machines," presentation, which was to take place on July 30, was pulled from the schedule on Monday."
Heartland Payment Systems Successfully Completes First Phase of End-to-End Encryption Pilot - www.businesswire.com - 06/30/09 - "Heartland Payment Systems (NYSE: HPY), one of the nation’s largest payments processors, yesterday successfully completed the first phase of its end-to-end encryption pilot project. This first step involved the transmission of live AES (Advanced Encryption Standard)-encrypted card transactions from a merchant to Heartland’s processing platform."
High-tech identity theft today - www.bobarno.com - 06/29/09 - "Identity theft is now the number one crime in the world. Las Vegas is number one in the U.S. for ID theft; even though it’s estimated that only 20% of the crimes are reported. The FBI estimates that seven out of every ten stolen dollars ends up in Las Vegas. There’s more money in Vegas than most places. Hence Vegas’s place at the top of the ID theft heap."
Price Tag for End-to-End Encryption: $4.8 Billion, Mercator Says - www.digitaltransactions.net - 06/29/09 - "Demand is booming for better payment card security as a result of the many data breaches of recent years, and the solution being touted more than any other is “end-to-end encryption.” But a new report from Mercator Advisory Group Inc. asserts that the term is imprecise and implementing the technology will take incentives, collaboration, and a lot of salesmanship."
'Iceman' pleads guilty in credit card theft case - news.cnet.com - 06/29/09 - "Max Ray Vision, aka "Iceman," pleaded guilty on Monday to two counts of wire fraud stemming from the theft of nearly 2 million credit card numbers and $86 million in alleged fraudulent purchases. Vision faces up to 60 years in prison when he is sentenced in October in federal court in Pittsburgh, according to federal public defender Michael Novara."
Europe to Eye Mag-Stripe Ban - www.americanbanker.com - 06/26/09 - "European banks may consider banning the use of magnetic stripe credit and debit cards, according to Gerard Hartsink, the chairman of the European Payments Council. Hartsink, who is also a senior executive vice president at ABN Amro in Holland, said that European financial companies will have largely completed the transition to the EMV Integrated Circuit Card Specification by 2011, and the council, which is driving the transition to the Single Euro Payments Area, could then advise its members to stop accepting magnetic stripe cards, which are considered less secure than those that use EMV."
PCI Security Council seeks industry comments on current standards - www.computerworld.com - 06/25/09 - "The group that administers the Payment Card Industry Data Security Standard (PCI DSS) wants feedback about how the current version of the standard, released last October, is working. Retailers, financial institutions and others in the payment industry will be able to submit online comments between July 1 and Nov. 1 about how to improve the PCI DSS 1.2 standard, the PCI Security Standards Council (SSC) said this week. "
TJX Agrees to Security Pilot Programs and to push End to End Encryption - retailpayments.blogspot.com - 06/25/09 - "There were some interesting terms agreed to by TJX in the TJX/State Settlement. First, TJX agrees to participate in pilot programs for new payment security technology, such as chip and pin, if asked to do so by MasterCard or Visa within 2 years of the date of the agreement. After two years, I guess they can say no. Second, they agreed to take steps within the next 180 days to encourage the development of end to end encryption including seeking the cooperation of their acquiring bank."
Credit card scammer gets two years in prison - www.insidebayarea.com - 06/25/09 - " South San Francisco man was sentenced Wednesday to two years in state prison for his role in a scam that bilked local credit card holders out of thousands of dollars, a prosecutor said. Anit Singh, 28, used a device called a "skimmer" to record the credit card information of customers at an Indian restaurant in Burlingame where he used to work, said Morley Pitt, assistant San Mateo County district attorney."
TJX Agrees To Pay States Almost $10 Million For Data Breach - www.storefrontbacktalk.com - 06/25/09 - "After a probe and negotiations lasting 2-and-a-half years, the TJX chain agreed on Monday (June 22) to pay a group of 41 U.S. states $9.75 million for what appears to be the credit card industry’s worst data breach, a crime that touched more than 100 million payment cards and was revealed in January 2007. But the dollars behind the settlement are relatively trivial for the $19 billion owner of Marshalls, T.J. Maxx, HomeGoods, A.J. Wright, HomeSense and Winners."
End-to-End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance - www.mercatoradvisorygroup.com - 06/25/09 - "With the US payments system under continuous cyberattack and data breaches endemic, merchants and processors are scrambling to protect their data assets and cardholder data in particular. Card data encryption turns valuable data into worthless bits and bytes, eliminating the economic incentive for a cyberattack."
PCI Security Standards Council Selects PricewaterhouseCoopers for Emerging Technology Review and Recommendations Project - www.globenewswire.com - 06/24/09 - "PricewaterhouseCoopers LLP (PwC) has been awarded a research project by the PCI Security Standards Council (SSC). PwC will perform industry research to support the PCI SSC in determining which technology approaches may be available to help merchants, service providers and processors more effectively secure cardholder data in accordance with the various Standards released by the Council."
Nevada Data Encryption Law Has Wide Coverage - retailpayments.blogspot.com - 06/24/09 - "Nevada recently enacted a new Data Protection law which replaced the previous law that was in effect for less than a year. The new law has some broad-reaching implications. The law applies to any business that has any transactions or employees located in the state, no matter where their headquarters are located and requires those businesses that accept credit cards to “comply with the current version” of the PCI DSS."
Nevada toughens data protection law with crypto, PCI requirements - searchcompliance.techtarget.com - 06/23/09 - "Nevada is getting serious about mandating the use of encryption to secure personal information. On May 29, Gov. Jim Gibbons signed into law Senate Bill No. 227, which repealed data protection law NRS 597.970, which had been in effect for less than a year. Among other things, the new law requires data collectors to use cryptographic key technology that meets established industry standards and, if they accept credit or debit cards, to comply with the Payment Card Industry Data Security Standard (PCI DSS) with respect to those transactions."
TJX To Pay $9.8M To Settle Data-Breach Probe By States - online.wsj.com - 06/23/09 - "TJX Cos. (TJX) announced it has settled with 41 state attorneys general related to the theft of potentially 100 million credit- and debit-card numbers earlier this decade in one of the biggest cases of identity theft. The owner of the Marshalls and T.J. Maxx retail chains will pay $8 million - a $5.5 million settlement and $2.5 million to establish a data-security fund for use by states - and cover $1.8 million of the states' investigation costs. The company previously set aside funds for any settlement."
Parking Meters: The Next Big Hack? - www.darkreading.com - 06/22/09 - "There are a lot of ways for your identity stolen to be stolen. Until last week, however, parking legally wasn't one that had occurred to most of us. Last week, security researcher Joe Grand offered a preview of his upcoming presentation at the Black Hat USA conference, which will take place in Las Vegas next month. The subject of Grand's presentation: parking meters."
PCI-DSS: Not on health care provider's radar - www.scmagazineus.com - 06/19/09 - "Health care providers are certainly no stranger to data privacy and security standards related to protected health information (PHI). Although these providers and their respective organizations are well versed in rules, policies and requirements of HIPAA, few are aware that the PCI-DSS rules apply to their businesses and even fewer are compliant. "
MasterCard Level 2 Merchant On-Site Audit Requirement - www.mastercard.com - 06/19/09 - "MasterCard has changed its requirements for Level II Merchant SDP Program Compliance. SDP, or Site Data Protection is the MasterCard program for cardholder security and is similar to the VISA CISP Program. Currently Level 2 MasterCard merchants can complete a PCI DSS Self-Assessment Questionnaire and submit that to MasterCard as part of their SDP certification process."
MasterCard Gets PCI Tough With Level 2 Retailers? - www.storefrontbacktalk.com - 06/18/09 - "MasterCard has changed its PCI rules and is now insisting that all Level 2 merchants have on-site assessments. “This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually,” wrote Branden Williams, in his excellent Security Convergence Blog, which seems to have broken the story on Wednesday (June 17)."
Four charged in ATM skimming fraud (Toronto) - www.thestar.com - 06/18/09 - "Four Toronto men face nearly 80 charges in connection to a GTA debit card skimming fraud. Toronto police say in January the suspects attempted to defraud several banks by installing a debit card skimming machine at 20 different ATM locations in Toronto, York, Durham and Peel regions. They also manufactured and used ATM tamper devices and counterfeit debit cards."
Credit card fraud draws two-year sentence - www.thestarphoenix.com - 06/18/09 - "A man who graduated from the University of Saskatchewan this month with a bachelor of arts in philosophy pleaded guilty Wednesday to hacking into a university computer in 2007 and downloading the credit card information of about 3,600 students. Brandon Brian Therens, 25, also admitted committing other frauds and thefts between May and October 2007 using computer technology..."
Security Watch - www.americanbanker.com - 06/17/09 - "Nine people in England have been arrested and accused of using stolen credit card account data to purchase their own music online, generating significant royalties for themselves in the process. The people, including several disc jockeys, allegedly used 1,500 stolen credit card numbers to purchase songs through Amazon.com Inc. and Apple Inc.'s iTunes, according to an article the BBC published June 11."
Heartland Gets Religion on Security - blogs.wsj.com - 06/17/09 - "Heartland Payment Systems CEO Bob Carr is an unlikely spokesman for tech security. But that’s what he’s emerging as. The credit-card processor suffered one of the largest data breaches ever disclosed last year. But rather than taking the time-honored approach of staying quiet and hoping that the negative publicity goes away, Carr is talking openly about what went wrong, the problems with the industry’s security standards, and a new product his company developed to help merchants protect customer data."
Neutralizing the Smartphone Security Threat - www.technewsworld.com - 06/17/09 - "It's no longer possible to ensure corporate security merely by establishing rigorous safeguards for computer networks. A new mobile era has crept up on the enterprise, and now, with employees carrying around smartphones and other devices that function like mini computers, the implementation of robust mobile security measures has become critical."
Police Fear Skimmers Used At (Nashville) Gas Stations - www.wsmv.com - 06/17/09 - "Pamela Thompson fears her debit card and personal identification numbers became public. "It's gut-wrenching," she said, "because you don't know who it is or you don't know how they did it." Metro police want to know if Thompson is a victim of a crime called skimming. It happens when con artists place a device on a card swipe and use it to gather digits and combinations."
Heartland Selects Voltage Security for End-to-End Encryption - www.paymentsnews.com - 06/17/09 - "Heartland Payment Systems has selected Voltage Security as a partner to develop end-to-end encryption (E3) software specifically suited to payments processing. “Heartland is developing a complete end-to-end encryption solution designed to protect cardholder data at all stages of a transaction – from card swipe through delivery to the card brands,” said Bob Carr, Heartland’s chairman and chief executive officer. "
Man credited with thwarting ATM fraud - www.miltoncanadianchampion.com - 06/17/09 - "A Milton man’s keen eye and quick actions resulted in a suspect being arrested in connection with an ATM fraud. Shortly after 3 p. m. Sunday, the resident was using the TD Canada Trust bank machine at 810 Main St. (near Thompson Road) when a piece from the ATM came off, said Sgt. Duncan Taylor of Halton police’s regional fraud unit."
Heartland CEO says data breach was 'devastating' - www.itworld.com - 06/17/09 - "Heartland Payment Systems chief executive Robert Carr remembers what it felt like when he first heard about the massive data breach at his company earlier this year. "I wanted to throw up. It was devastating," says Carr, recalling how he felt upon realizing that one of his worst fears had come true."
"More debit fraud cases turning up Tennesee" - www.herald-citizen.com - 06/16/09 - "More victims of debit card fraud are turning up here, and even two city police officers report their bank accounts have been hit. Meanwhile, Cookeville Police Detectives David Gragg and Tim Terry say they feel their investigation is getting closer to the thief who somehow stole debit card numbers and PIN numbers from people all over this area, yet did not steal their cards."
"The Battle Over Personally Identifiable Information is Lost" - www.paymentsnews.com - 06/16/09 - "A new research report titled "Protecting Personal Information: We Lost the Battle, Can We Win the War?" by TowerGroup declares that the financial services industry has lost the battle to protect consumers' personally identifiable information (PII) data."
Russian or Armenian Mob Used "Model Employee" Con at PCH Arco - www.laweekly.com - 06/16/09 - "An organized-crime ring that police believe is Russian or Armenian targeted a high-volume Redondo Beach Arco gas station, assigned a low-level soldier to infiltrate it and waited eight months while he worked himself into a position where he could implant a tiny, high-tech “skimmer” to steal customers’ credit-card information."
New Non-Profit To Take On Retailers' Payment Security Woes - www.retailsolutionsonline.com - 06/15/09 - "Amid retailer worries and confusion over cardholder data security and PCI compliance come POS payment system vendors with different products and advice — often making things worse. Retailers concerned with payment standards and data security need a measure of uniformity, not vendors offering wildly varying solutions."
Scam may have hit 10,000 accounts - www.theage.com.au - 06/15/09 - "TEN thousand ANZ customers may be victims of a Melbourne ATM "skimming" fraud it is now feared, after police arrested five Romanians they allege are members of an international syndicate linked to crimes in Victoria, NSW and Europe."
Five arrested in Whitby for bank fraud - www.newsdurhamregion.com - 06/15/09 - "A number of Thickson Road banks were hit in a debit scam this weekend, leading to the arrest of five men. Just after 6 a.m. on June 13, Durham Regional Police were called to a Thickson Road South plaza when a witness reported seeing several men run between the TD and CIBC banks there. TD Bank security contacted police shortly after, saying fraudulent debit cards were being used at the plaza's automatic teller machines."
AP IMPACT: Weak security enables credit card hacks - tech.yahoo.com - 06/14/09 - "Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers. And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could."
Police hunt pair over alleged cashpoint tampering - www.chroniclelive.co.uk - 06/13/09 - "THESE two suspects are being hunted by police for allegedly trying to break into cash machines. The men were caught on CCTV tampering with Barclays Bank cashpoints in North Tyneside. It is thought they wanted to insert skimming devices into the machines. These gadgets are used by fraudsters to illegally copy credit or debit card details."
Ann Arbor police search for thief who used 'skimming' device on ATMs - www.mlive.com - 06/12/09 - "Ann Arbor police are asking for the public's help to identify a man who captured ATM card information by using a skimming device at local automatic-teller machines."
Investigation Into Debit Card Skimming Continues - www.vocm.com - 06/12/09 - "The RNC says it has no leads after releasing video of potential suspects linked to debit card skimming incidents that occurred in April. 45 incidents were reported from April 10th to 25th, and thousands of dollars have been stolen, but there have been no incidents since then."
ATM camera scam warning - www.belfasttelegraph.co.uk - 06/12/09 - "Eastern European crime gangs are raiding cash machines across Northern Ireland with sophisticated card-skimming devices, the PSNI warned today. The gangs are manufacturing the devices in eastern Europe and then smuggling them into the province where they can fit them onto ATM machines within minutes, allowing them to read card details and pin numbers."
Police Search For Identity Theft Suspects - www.wxyz.com - 06/12/09 - "ANN ARBOR, Mich. (WXYZ) - Police are searching for a group of identity theft suspects accused of stealing account numbers in Washtenaw County. The suspects were caught on camera placing a skimming device on an ATM. "
Bank-card fraud hits dozens in N.L. - www.cbc.ca - 06/12/09 - "Dozens of people have fallen victim to a type of debit- and credit-card fraud called "skimming," police in St. John's say. "That's 45 incidents where bank cards were skimmed and money was taken from the accounts," Royal Newfoundland Constabulary Const. Shawn O'Reilly said Thursday. Tens of thousands of dollars have been stolen from bank accounts in the provincial capital, O'Reilly said."
Agencies Issue Frequently Asked Questions on Identity Theft Rules - www.bankinfosecurity.com - 06/11/09 - "Six federal agencies issued a set of frequently asked questions (FAQs) today to help financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards comply with federal regulations on identity theft and discrepancies in changes of address."
Security Issues Weigh Most Heavily with Acquirers, Research Says - www.digitaltransactions.net - 06/10/09 - "Security issues weigh more heavily on the minds of executives with merchant acquirers and independent sales organizations than they do among any other payment card industry sector, according to new research from Aite Group LLC. Some 43% of acquiring executives rated data security, including compliance with the Payment Card Industry data-security standard, or PCI, as the “top challenge” of their sector, tied with the 43% who cited “business issues,” a catch-all phrase for pricing and other sector-specific matters."
NACS, Merchant Groups Ask PCI Council to Lead Collaborative Effort - www.paymentsnews.com - 06/10/09 - "The Payment Card Industry (PCI) Security Standards Council must take the lead in developing a collaborative approach with merchants in defining more open standards for future PCI Data Security Standard (DSS) requirements, stressed NACS (the National Association of Convenience Stores) and several other trade associations in a June 8 letter to the Council."
T-Mobile Data Breach Raises Retail M-Commerce Concerns - www.storefrontbacktalk.com - 06/10/09 - "Recent incidents involving T-Mobile—where the carrier was forced to confirm some claims of a supposed cyberthief who said that he had hacked in and stolen databases, documents and scripts—don’t help. As e-tailers have learned the hard way from E-Commerce, customers don’t care about tidy legal contracts assigning responsibility and quality-of-service obligations."
Woman Arrested in Colorado Springs for Fraud Pleads Guilty - www.windowsitpro.com - 06/10/09 - "If you ever watched Star Trek, you soon learned Dr. McCoy’s signature line: “Dammit, Jim, I’m a doctor, not a [insert a more useful occupation for the crisis at hand].” In the Payment Card Industry (PCI), it appears companies are doing a riff on Bones’s signature line: “I’m a merchant, Jim, not a security expert!” So why are we surprised when we hear about the latest data breach?"
Woman Arrested in Colorado Springs for Fraud Pleads Guilty - www.krdo.com - 06/10/09 - "DENVER - Gintare Sakinyte, aka Moyassar Issa, age 27, pled guilty last week to committing fraud and related criminal activity in connection with the false use of counterfeit credit cards. Sakinyte used fraudulent credit cards to purchase iPods at Target stores in Chicago, Illinois and throughout the Front Range, including Denver and Colorado Springs, Colorado."
Merchant Groups Ask for Broad Changes in Letter to PCI’s Overseer - www.digitaltransactions.net - 06/09/09 - "They’re mad as hell, but whether they’re going to take it any more isn’t quite as clear. That’s the essence of a letter seven merchant trade groups sent Tuesday to the PCI Security Standards Council and the five general-purpose payment card networks. The merchants want more input when the Payment Card Industry data-security standard, or PCI, is revised, and they also want changes that would ease their compliance burden with the lengthy set of rules that card-accepting merchants must meet."
Hackers offer T-Mobile data for sale to highest bidder - www.securecomputing.net.au - 06/09/09 - "A group of hackers is claiming to have completely cracked T-Mobile’s network in the Unites States and stolen proprietary operating data, customer databases and financial records. In a message posted on the Full Disclosure mailing list the hackers claimed to have emailed T-Mobile’s rivals with an offer to sell the information but that they had not heard back. As such, they were offering it to the highest bidder."
Data Security Regulation 2.0, Part 2: Massachusetts Has Written Your Information Security Program - www.revenews.com - 06/09/09 - "Unlike the Nevada law (see Part 1), which is relatively brief and narrowly focused on the encryption of electronically transmitted data, Massachusetts’ new data security regulation, 201 CMR §17.00(pdf), is extremely sweeping and eliminates much private discretion in the realm of information security by imposing comprehensive, detailed operational requirements for business activities that touch personal information."
ATM Fraud: 7 Growing Threats to Financial Institutions - www.bankinfosecurity.com - 06/08/09 - "The Heartland Payment Systems (HPY) data breach may be the fraud story of year (so far), but ATM and debit card thefts are growing steadily and frighteningly at financial institutions. Witness the recent announcement by law enforcement in New York City that a criminal gang had stolen $500,000 from hundreds of customers' bank accounts via skimming devices that read and stored account information at Sovereign Bank branches in Staten Island. The gang installed cameras onto the machines, catching victims typing in their PIN numbers.
Data Security Regulation 2.0, Part 1: In Nevada Transmission Requires Encryption - www.revenews.com - 06/08/09 - "Nevada and Massachusetts are pushing forward with a new, more assertive type of data security regulation that has huge implications for businesses operating online. Call it Data Security Regulation 2.0. In this first of two installments we will overview past regulation and cover changes Nevada is implementing in regards to data security."
Presentations from the Chicago Fed's 2009 Payments Conference - www.paymentsnews.com - 06/08/09 - "In mid-May the Federal Reserve Bank of Chicago held its annual payments conference - this year's theme was "Payments Pricing: Who Bears the Cost?". Copies of many of this year's conference presentations are now available online. "
Hacked ATMs let criminals steal cash, PINs - www.idtheftcenter.org - 06/06/09 - "San Diego, CA: The Identity Theft Resource Center® (ITRC) released a significant report today on the impact of identity theft victimization: Identity Theft: The Aftermath 2008. With six years of victim responses and shared experiences, this information provides a unique insight into the crime that may not apparent to other parties."
'Skimming' device put on Oak Creek ATM - www.jsonline.com - 06/05/09 - "A "skimming" device that records credit card information was put on Tri City bank ATM machine in Oak Creek, stealing information from 38 people, police say in court documents. The Tri City customers' accounts were closed and it appears they were not ripped off, according to a search warrant filed in Milwaukee County court. ATM skimmers use small cameras to steal debit or credit card information."
Hacked ATMs let criminals steal cash, PINs - news.zdnet.co.uk - 06/05/09 - "Malicious software has been found on Eastern European ATMs that allows criminals to steal account data and PINs and even empty the machine of its cash, a computer forensics expert said. About 20 cash machines have been compromised in that manner, mostly in Russia and the Ukraine, but there are "early indications" of compromised ATMs in the US, said Nicholas Percoco of Trustwave, which provides data security and payment-card compliance services."
Best Buy Bandits - www.wtvr.com - 06/05/09 - "On 5/27/09 two males entered the Best Buy on Brook Road and attempted to use manufactured credit cards to purchase a large quantity of electronic items. Best Buy employees, who had been alerted by other locations, contacted Henrico police upon their arrival. "
FTC shuts down ISP over spam and botnets - www.securecomputing.net.au - 06/05/09 - "The U.S. Federal Trade Commission has convinced a court to shut down the operations of a rogue internet service provider (ISP) that it claims was hosting spamming systems, child pornography and botnets. The ISP, operating under the names 3FN and APS Telecom under the ownership of Pricewert, is alleged to be actively working with organised crime to host the kind of material that legitimate companies would turn down, such as botnets."
Amid Recession, PIN Debit Growth Far Outpaces Signature - www.digitaltransactions.net - 06/04/09 - "While the recession is making an impact on consumer spending generally, PIN debit card usage is faring considerably better than that of signature debit. Indeed, PIN debit transactions by consumers grew 15% between July and December, the period during which the economic downturn began making itself felt, nearly four times the rate of growth for debit transactions secured with a signature, according to research released on Thursday by the Pulse electronic funds transfer network. "
Eye on Security: ‘Unique’ ATM Malware; Theft of Sony Card Data - www.digitaltransactions.net - 06/04/09 - "Malicious software has been discovered on some Eastern European ATMs that has dangerous new powers to extract money as well as card data, according to a security executive. Meanwhile, Sony Corp. of America has confirmed that someone illicitly copied more than 5,000 credit card numbers of its customers who visited its Sony Rewards Web site."
Why suing auditors won't solve the data-breach epidemic - www.betanews.com - 06/04/09 - "The life of a security auditor has its high points, of course -- travel, getting paid to break stuff, and more travel -- but there's a lot about that job that doesn't recommend it. You're going into someone else's place of business and trying to figure out what they're doing wrong, so you can write a big report that goes to their bosses? I don't care how personable you are, this isn't on the Dale Carnegie list of How To Win Friends."
South Georgians report suspicious bank account charges - www.walb.com - 06/04/09 - "Suspicious credit and debit card charges are appearing on some south georgia bank accounts. Banks say those fraudulent charges likely are linked to a security breach last year at a national payment processing company."
Visa Sees Credit Card Industry Restructuring - www.nacsonline.com - 06/04/09 - "Responding to recent credit card reform legislation signed into law, Visa Inc. (Visa) said earlier this week that the law would compel the payment card industry to restructure, especially as revenue expectations decrease. "It's going to cause the whole industry to rethink itself," said Joseph Saunders, Visa's CEO."
Obama and Cyber Security: Changes to Come for PCI? - www.nacsonline.com - 06/04/09 - "President Obama announced cyber security plans last week, but experts say that he “left the door open for some form of regulation” that will directly impact how companies secure data and data networks, Dark Reading reports. Industry experts have criticized the current PCI security system, noting that it is self-regulatory and prone to failure."
Card-skimming prevails - www.itweb.co.za - 06/03/09 - " Card-skimming remains a major concern for local banks – despite efforts to improve security at ATMs. Nedbank recently announced it will roll-out a card security device at its ATMs, in an effort to reduce the risks of fraud. The bank says increased access to its ATMs countrywide – as a result of the installation of more machines – resulted in higher risks for fraudulent activity by criminals."
Rethinking Payment Security Outsourcing - www.storefrontbacktalk.com - 06/03/09 - "Is adopting a superior technical or business approach the right choice, even if that approach results in the loss of jobs for the company? Or, put another way: Is it justifiable to implement a less secure technology, if employees’ jobs are preserved in the process? "
Fresno Co. warned of ID theft gadgets - www.fresnobee.com - 06/03/09 - "Fresno County Sheriff Margaret Mims is warning the public about small electronic devices that criminals are installing on gas pumps and ATMs to steal credit card information and make fraudulent purchases. The Sheriff’s Department has received calls about the crime, called “skimming.” A possible skimming incident occurred last week at a gas station at Interstate 5 and West Panoche Road in west Fresno County."
Police Investigate ATM Skimming Scheme - www.620wtmj.com - 06/03/09 - "Investigators are looking into an "ATM skimming" scheme at the Tri City National Bank in Oak Creek. The skimmer is used to steal debit or credit card numbers from anyone who uses the machine. Sometimes criminals also install small cameras to get pin numbers."
UK e-tailers don't understand PCI DSS - survey - www.finextra.com - 06/02/09 - "Around 60% of UK online retailers do not know whether they are in compliance with the Payment Card Industry Data Security Standard (PCI DSS), according to a survey from Sage Pay. Around two thirds of the 1000 SMEs polled by the security vendor say payment fraud remains one of the most daunting elements of running an online business."
Apple sued over methods for repeat iTunes, App Store sales - www.appleinsider.com - 06/02/09 - "Apple, along with more than a dozen other firms conducting e-commerce, have been hit with a lawsuit from a patent trolling claiming first rights to technology that simplifies the re-billing process for repeat customers making purchases through online stores."
What You Don't Know About the World's Worst Breaches - Dr. Peter Tippett on the 2009 Data Breach Investigations Report - www.bankinfosecurity.com - 06/02/09 - "Verizon Business investigated 90 major data breaches in 2008, including 285 million compromised records. Nearly ¾ of those breaches were external hacks, and 99.9 percent of the records were compromised via servers and applications. These are among the findings of Verizon's new 2009 Data Breach Investigations Report."
In Legal First, Data-Breach Suit Targets Auditor - www.wired.com - 06/02/09 - "When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor’s report. In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before."
Quiznos hit by debit card scammer last fall in West Vancouver - www.news1130.com - 06/02/09 - " If you used your debit card at a Quiznos Sub Sandwich Shop on Marine Drive at 14th in West Vancouver last fall, you should probably change your PIN. Police say someone had been skimming numbers from a debit machine there during a three-week period. The restaurant had been for sale at the time and is now closed."
Spicy Pickle restaurants closing in Kalamazoo area - www.wwmt.com - 06/02/09 - "Two restaurants in the Kalamazoo area are closing their doors for good, and all because of a fallout over credit card theft. The Spicy Pickle closed its locations on West Main St. in Kalamazoo and on West Centre Ave. in Portage on Sunday, May 31. The owners of the restaurants say that the closures came because of declining business that was tied to a credit card theft incident last winter."
Batteries.com, insurance firm report data breaches - www.computerworld.com - 06/02/09 - "Batteries.com, an online seller of batteries for consumer electronics, and Aviva USA, one of the largest insurance companies in the world, have both reported data breaches in recent days. Both companies reported the data breaches to the New Hampshire Department of Justice in May, with Batteries.com reporting that 865 residents of New Hampshire may be affected."
Credit Card Tokenization: Put All Your Data Eggs in One Basket—and Watch That Basket - blogs.systeminetwork.com - 06/02/09 - "I was on a call recently with Gartner, Inc., analyst John Pescatore to learn about credit card tokenization. Pescatore, who specializes in Payment Card Industry Data Security Standard (PCI DSS), encryption related to PCI DSS, and overall security of Internet systems for Gartner, explained that tokenization can reduce a company's odds of a data breach as well as reduce the cost and complexity of PCI DSS compliance and auditing. "
Do Not Kid Yourself: You Don't Have To Be A "Tech" Company To Face Risk From Privacy And Data Security Claims - www.metrocorpcounsel.com - 06/01/09 - "In this day and age, virtually every business is a "data" or "Internet" company by virtue of handling various types of personal information, and thus has exposure to privacy and data security related claims. Whether the claims arise from a "hacking" incident on a company's website or network, a misplaced laptop containing customer or employee information, or allegations of improperly collecting or using personal information, companies that have even transitory possession of customers' or employees' personal confidential information face potential liability and regulatory risk."

May 2009

Debit card scammers strike in Cornwall - www.standard-freeholder.com - 05/29/09 - "A rash of debit card fraud has left people throughout the city running to their banks to protect their money. Monique Sequin became wise to the problem when she visited a local supermarket recently -only to get a message at the register saying her debit card wasn't set up. "
Heartland Update: More than 650 Institutions Impacted - www.bankinfosecurity.com - 05/29/09 - "While it's hard to get a handle on just how many consumers were affected by the Heartland Payment Systems (HPY) data breach, the total number of institutions now reporting card compromises is at 656."
Cybersecurity Review Finds U.S. Networks 'Not Secure' - www.informationweek.com - 05/29/09 - "The White House has released a report calling for urgent action to secure the nation's computer network infrastructure. The report covers the findings of a 60-day review of national cybersecurity policy and practice by Melissa Hathaway, a member of the National Security Council (NSC) and the acting White House cybersecurity chief."
Hack maliciously to boost your software's security - www.techtarget.com - 05/28/09 - "Everyone claims to know the "right way" to go about testing the security of Web applications. "Perform an external scan," the auditors recommend. "Just use our vulnerability scanner," the vendors proclaim. "Do a peer review of the source code," the quality assurance (QA) analysts declare. And then there are the government, industry regulatory, and standards bodies who believe they know what it takes to secure an app. Regardless, it's their way or the highway. Ha! "
ID Theft Use of Credit Cards Leaps - www.pcworld.com - 05/27/09 - "ID theft victims are much more likely to get hit with fraudulent charges on their credit cards or debit cards, according to a new study from the Identity Theft Resource Center that tracks the effects of ID theft. In 2008, 39 percent of victims saw such charges, more than twice the 15 percent from 2007, according to the study."
ATM card skimming on the rise - www.fredericknewspost.com - 05/27/09 - "It's called "skimming," and ATM users worldwide are losing millions. The ATM Industry Association describes skimming as one of the industry's most recurrent fraud threats. The practice hit Frederick in April, when the PNC Bank automated teller machine at 191 Thomas Johnson Drive was rigged with a skimming device, Frederick police said. "
Kansas City Fed Chief Espouses ACH for Debit Card Processing - www.digitaltransactions.net - 05/27/09 - "The Federal Reserve Banks should adapt the automated clearing house network to compete directly with private-sector networks for debit card processing, the head of the Federal Reserve Bank of Kansas City said this week. “The Federal Reserve could enhance competition in payment card markets by positioning ACH services as an alternative to debit card payment networks,” said Thomas R. Hoenig, president of the Kansas City Fed, in remarks delivered on Monday at a retail-banking conference held by the European Central Bank in Frankfurt, Germany."
Banks cancel debit cards as fraud investigation continues - www.piquenewsmagazine.com - 05/27/09 - "Potentially hundreds of customers at local bank branches have had their cards cancelled and replaced this week, often with no warning, in response to an ongoing debit card fraud investigation. Officially the RCMP are investigating 16 reports of unauthorized withdrawals, including two in the past week, with charges over $30,000 dating back to April 20."
Debit Cards Canceled Amid Security Breach - www.wfsb.com - 05/26/09 - "Hundreds of Putnam Bank customers had their debit cards canceled over the weekend after reports of widespread fraud. The problem started Friday night at the Someplace Special restaurant in Putnam when bank card after bank card was rejected, said Michael Vassar, the restaurant's general manager."
Take The POS Out Of The Scope Of PCI - www.ismretail.com - 05/26/09 - "Stop me if you’ve heard this one: a PCI auditor tells this retail merchant who has an aging POS application that he has until July 2010 to get all his payment related applications PCI compliant. That’s it, no punch line, just reality."
US bank sues IT supplier Savvis - www.courthousenews.com - 05/26/09 - "Merrick Bank claims it lost $16 million after hackers compromised as many as 40 million credit card accounts. The bank clams that Savvis, an information technology firm, erroneously assured it that the bank's processor, CardSystems Solutions, complied with Visa and Mastercard's security regulations."
PPISC urges solidarity for security - www.greensheet.com - 05/25/09 - "The inaugural meeting of the Payments Processor Information Sharing Council was attended by 30 industry veterans representing 20 merchant acquirers and third-party payment processors. The council is dedicated to sharing information about data breaches and preventing attacks on payment networks."
Diverse perspectives on end-to-end encryption - www.greensheet.com - 05/25/09 - "Issues pertaining to data security have received unprecedented attention in recent years, fueled partly by high-profile breaches at businesses like TJX Companies Inc., Hannaford Bros. Co., Heartland Payment Systems Inc. and RBS Worldpay Inc. Featured prominently in the discussion is end-to-end encryption."
Trustwave raises alarm, advises hospitality sector - www.greensheet.com - 05/22/09 - "In response to a growing number of data security breaches in the hospitality industry, information and security compliance firm Trustwave issued an alert to help hotels and restaurants identify and address security weaknesses. Colin Sheppard, Forensic Practice Manager for Trustwave, said much of the problem involves the multichannel acceptance of payments. Channels of acceptance include MO/TO, card-present, point-of-service transactions and card-not-present payments done via the Internet."
Online Trust Alliance releases draft of security and privacy principles - www.internetretailer.com - 05/22/09 - " The Online Trust Alliance has released a draft of Online Trust Principles addressing security and privacy issues for e-commerce and online sites. The proposed principles cover three areas: infrastructure, including protection of servers, web sites, desktops and mobile devices; data, including sensitive and personally identifiable information; and user control, choice and privacy. "
Block Put On Hundreds Of Winthrop Debit Cards - www.wbztv.com - 05/22/09 - "The credit union stayed open Friday until 6 p.m. to give cash to affected customers for the weekend. Credit union officials say its card processer, Metavante, noticed suspicious activity on three of its MasterCard debit cards and notified the credit union about them. While it was not a security breach, the Winthrop Federal Credit Union decided to freeze a block of cards as a precaution, something that Metavante did not advise them to do."
Ignorance Is Not a Defense - www.nacsonline.com - 05/21/09 - "GRAPEVINE, Texas – Ignorance, in some instances, can be bliss — but not when it can cost you hundreds of thousands in fines and risk a public relations nightmare that can destroy your brand. Such is the case with PCI compliance: Ignorance is not bliss. NACStech speakers shared with attendees what they need to know about PCI compliance at the aptly title workshop, 'PCI Compliance: Ignorance is Not a Defense.'"
Australia lagging in data security compliance: PCI Security Standards Council - www.cio.com.au - 05/21/09 - "A lack of financial penalties and a mandate to publicly admit data breaches may be clouding the real state of credit card payment and customer information security in Australia, according to a senior executive from the Payment Card Industry (PCI) Security Standards Council."
MARYLAND: Device found to steal ATM info - www.delmarvanow.com - 05/21/09 - "FREDERICK, Md. — Frederick police say a "skimming" device was installed on an ATM to record the information on the magnetic strips of credit or debit cards. Police said Wednesday that a camera was also installed to record customers typing in their PIN at the freestanding PNC Bank machine at Opposumtown Pike and Thomas Johnson Drive near Fort Detrick."
Security vulnerabilities persist in hospitality industry - www.thetechherald.com - 05/20/09 - "When checking into a hotel and asked for a credit card for incidentals, or when pre-paying online, do you honestly give it a second thought considering most hotels are big chains and well established? If you're among the majority of consumers, then no, you do not. However, recent breaches and a new study from Trustwave might make you pause in the future."
Codes on Cards - www.americanbanker.com - 05/20/09 - "Visa Europe, hoping to combat rising online fraud in a market where smart cards offer higher security for purchases made in person, is testing a system that allows credit cards to generate one-time passwords for Internet purchases. The cards have a keypad and display on their backs. When cardholders punch in their PINs the cards will generate four-digit passwords to authenticate online transactions, according to an article published on the BBC's Web site May 13."
Heartland Data Breach: Hearing Set for Class Action Suits - www.bankinfosecurity.com - 05/20/09 - "A federal judicial panel will hear arguments next week on whether to consolidate the class action lawsuits brought against Heartland Payment Systems (HPY) by financial institutions. The Judicial Panel on Multidistrict Litigation in Louisville, KY will hear the arguments next Wednesday, according to Benjamin Johns, one of the lawyers representing the class action suit from the law firm of Chimicles & Tikellis, Haverford, PA."
ATM Numbers Stolen at Local Arco Station - www.ktla.com - 05/20/09 - "REDONDO BEACH -- Police are searching for a former Arco employee suspected of stealing debit card numbers from customers at a station in Redondo Beach. Police say a skimming device intercepted the personal information from as many of 1,000 people and withdrew $200,000 from their bank accounts. Customers started reporting the thefts last week, but more victims have come forward this week, police said."
RBS WorldPay Returns to Visa's and MasterCard's List of PCI DSS Validated Services... - www.reuters.com - 05/20/09 - "Following the successful completion of its Payment Card Industry Data Security Standard (PCI DSS) assessment, RBS WorldPay has returned to both Visa's and MasterCard's list of PCI DSS Validated Service Providers. RBS WorldPay has successfully validated its compliance with PCI DSS, conducted by Verizon Business/Cybertrust, one of a select group of companies approved by the PCI Security Standards Council as a Qualified Security Assessor (QSA). "
An Expert Casts Doubt on Stickers for Mobile Payments at the POS - www.digitaltransactions.net - 05/20/09 - "With near-field communication (NFC) technology seemingly on hold in North America, mobile-payments backers are turning to radio-frequency identification tags with adhesive backing that can be affixed to phones (Digital Transactions News, Oct. 15, 2008). These so-called stickers, offered by First Data Corp., Oberthur Technologies, and other companies, are widely seen as a half-way house to full-scale NFC."
Credit card fraud on the rise, say banks - www.daijiworld.com - 05/19/09 - "Fraud involving credit cards issued in the GCC, after years of being kept at bay, appears to be on the rise, bankers said. Speaking on the sidelines at the 10th Annual Cards Middle East conference, Jonathan Campbell-James, HSBC’s regional head for security and fraud risk, said the bank had experienced a “notable” jump in fraud in the first quarter of 2009 from the previous year."
Security breach affects 5/3 Bank users - www.woodtv.com - 05/19/09 - "GRAND RAPIDS, Mich. (WOOD) - Fifth Third Bank is informing some customers through letters in the mail that there has been a security breach at a third-party company that provides processing services. As a result, customers' debit and credit cards issued by Fifth Third Bank may have been compromised."
Security group to consider wireless, virtualization standards for payment-card industry - www.networkworld.com - 05/19/09 - "Regulatory changes are coming for the payment-card industry, say leaders of the PCI Security Standards Council, which is responsible for developing and implementing security standards for cardholder data protection. The council, which has about 500 participants, just completed the annual process of electing its board of advisors."
Computer Glitch Blamed For Credit Card Breach - www.theindychannel.com - 05/19/09 - "INDIANAPOLIS -- A credit card company said Tuesday that a computer glitch caused more than a hundred people's statements to be posted online last week. Constance Wilson, who lives in McCordsville, alerted CompuCredit after she logged in to pay her Aspire Visa card bill and instantly had access to 120 other statements from people in Indiana and 31 other states, Call 6's Rafael Sanchez reported."
Mafia tie to theft (Australia) - www.bendigoadvertiser.com.au - 05/18/09 - "THERE are fears the discovery of a skimming device at an ATM in Strath Village could be part of an elaborate global sting with connections to the Mafia. The Advertiser reported this month that a Commonwealth Bank ATM at Strath Village had been fitted with a skimming device, believed to have been planted between 4pm and 5pm on May 6."
Skimmers cost Dutch banks 31 million euros - www.radionetherlands.nl - 05/18/09 - "The losses sustained by banks in the Netherlands due to debit card 'skimming' amounted to 31 million euros last year. That is 0.02 % of the total debit card transactions. It is the first time that banks in the Netherlands have calculated the damages caused by skimming."
Online Banking Customers Hit Hard...need Hardware - pindebit.blogspot.com - 05/18/09 - "Consumers in Australia are being hit every day with hundreds of emails that are suppose to be from the Commonwealth Bank and the Federal Reserve Bank however investigators and the banks say they are all part of a massive global scam to extract money."
Trustwave ETA Webinar: Identifying and Reducing Scope of PCI DSS Compliance Efforts - www.trustwave.com - 05/16/09 - "The Electronic Transactions Association and Trustwave invite you to attend a complimentary interactive webinar titled, Identifying and Reducing Scope of PCI DSS Compliance Efforts. During this webinar, Don Brooks, a Trustwave Sales Engineer, will discuss how to make PCI DSS more manageable by decreasing the area of your network that the standard applies to."
Debit card scam thwarted, RCMP say - www.cbc.ca - 05/15/09 - "RCMP have seized seven debit card pads they claim were going to be used to hijack the bank accounts of Nova Scotians. The discovery was made Monday afternoon when RCMP pulled over a speeding vehicle on Highway 102 in Fort Ellis, near Stewiacke. An officer searched the vehicle and found some marijuana. The modified pinpad devices and tools used to tamper with them were found during a closer inspection."
Credit card fraud on the rise: report - www.abc.net.au - 05/15/09 - "An industry report has identified a rise in the rate of internet and telephone credit card fraud. Figures from the Australian Payments Clearing Association (APCA) show the credit card fraud rate was 45 cents per $1,000 in 2007, but in 2008 it had climbed to 53 cents."
Millions tossed out of Sweetbay data breach suit by Maine judge - www.tampabay.com - 05/15/09 - "No harm, no foul, a federal judge in Maine ruled in tossing millions of shoppers out of a class-action suit seeking damages for a sweeping credit and debit card data breach at Sweetbay/Hannaford Bros. supermarkets a year ago."
PCI in the Age of Heartland - www.technewsworld.com - 05/14/09 - "It's evident that PCI compliance is not enough to fully protect credit card transaction data. Major fiascos such as the infamous Heartland, RBS WorldPay and TJX data breaches will continue to occur unless the system is fixed. One possible solution? Protection that starts at the database level."
Two sought in North Fort Myers credit card fraud case - www.news-press.com - 05/14/09 - "Crime Stoppers is asking for the public's help in identifying two suspects who charged up several hundred dollars worth of cigarettes and other items using credit card information belonging to someone else. According to detectives with the Lee County Sheriff's Office, the unknown suspects likely used a skimmer to acquire the victim's account information. A skimmer is a small electronic device used to swipe the victim's credit card to capture all account information, which is then transferred onto another card that the suspects use. "
Visa card doubles as two-factor authentication device - www.securecomputing.net.au - 05/14/09 - "Consultancy firm Deloitte is involved in the testing of a new type of corporate credit card, which doubles as a two-factor authentication device for remote network access. The Visa Corporate Barclaycard, which is being given to 500 Deloitte staff in the UK as part of a pilot programme, has a built-in LCD screen and keypad that generates a one-time passcode and allows users to enter their PIN."
Prospects Gloomy for Texas Data Breach Bill - www.cutimes.com - 05/14/09 - "Despite vigorous lobbying by credit unions, prospects were dim Thursday the Texas legislature would pass a landmark bill plugging data card breaches. 'There’s still a chance something might happen tomorrow in the Texas House but let me say that we’ve known for some time we have a big fight on our hands with retailers,' declared Buddy Gill, the chief advocacy officer for the Texas Credit Union League."
Skimmer found on Bradford bank ATM - www.innisfiljournal.com - 05/14/09 - "Equipment used to steal debit card information was discovered on an ATM at a Bradford bank Tuesday. A customer at a Scotiabank branch on Holland Street West discovered a card reader attached to the bank machine. A small camera used to record people's PIN security number was also discovered."
Police search for two credit card fraud suspects - www.fox4now.com - 05/14/09 - "Lee County Sheriff's Office detectives are asking for your help to find two suspects who charged several hundred dollars worth of cigarettes and other items on someone else's credit card. Detectives say the suspects probably used a skimmer to get the victim's account information."
Participation Will Be Key to Heartland's Encryption Effort - www.gartner.com - 05/13/09 - "Heartland Payment Systems will offer end-to-end encryption to re-establish its credibility as a secure processor and strengthen its security practices. To work, its plan must be adopted by merchants and card brands."
Skimming hit 1,250 debit cards - www.brantfordexpositor.ca - 05/13/09 - "About 1,250 debit cards were skimmed at a Colborne Street West fast food restaurant over a period of about six weeks, city police said on Wednesday. The skimming took place at Subway Restaurant, 121 Colborne St. W. from March 25 to May 4, police said. Police said that 201 of the skimmed debit cards had been used for unauthorized financial transactions. "
Is Heartland’s End-to-End Move The First Shot In A Processor Lock-In War? - www.storefrontbacktalk.com - 05/13/09 - "Back in the late 80s, when I was covering the Unix area, much of the activity involved anti-competitive moves from one vendor to the next. Indeed, those folk did a lot more fighting than they did inventing or selling, which is why Microsoft never sweated Unix much. In those days, proprietary was a bad word, suggesting a vendor ploy to lock-in IT departments to have to stick with their products because it became too expensive to switch."
Implications of Heartland’s Beyond PCI Strategy for Retailers - www.storefrontbacktalk.com - 05/13/09 - "Heartland’s strategy—detailed here in a series of StorefrontBacktalk podcasts with Carr—is the most aggressive since TJX announced they were going to hold a special “we’ve been breached” sale for all of the public. But what are the implications of this bold strategy for retailers and the rest of the market? Here’s a few of the things I am hearing as I talk to merchants, processors and other PCI market players."
Skimmer scam defrauding Tehachapi cardholders - www.tehachapinews.com - 05/13/09 - "A ring of thieves is capturing credit and bank debit card numbers from cards used in Tehachapi and charging large amounts before the scam is discovered. Detective Denise Brown of the Tehachapi Police Department is leading an investigation that was triggered by a flurry of reports from victims who realized their card numbers had been stolen recently."
Lankan in Britain jailed for huge credit card fraud - www.dailymirror.lk - 05/13/09 - "A Sri Lankan working as a cashier at a Northampton petrol station in Britain has been jailed after he was found guilty of having cloned more than 1,000 credit and debit cards, and netting at least £300,000 for the fraudsters. Northampton Crown Court on Monday sentenced Suntharam Thevaratnam, (33) to three years jail on pleading guilty to the fraud charges."
Judge tosses all but one Hannaford data breach claim - pressherald.mainetoday.com - 05/13/09 - "A federal judge on Tuesday dismissed nearly all of the civil claims filed against Hannaford Bros. for the supermarket giant's alleged failure to protect and notify consumers during an electronic data breach in late 2007 and early 2008. Judge D. Brock Hornby ruled that the only consumers who will be allowed to proceed with the lawsuit are those who were not reimbursed by their banks for the fraudulent charges on their accounts."
Security Watch - www.americanbanker.com - 05/13/09 - "Computer viruses seem to be getting more destructive, in part because criminals are trying to make it harder for people to spot account takeovers. The Zeus kit is an example of this. The $700 malicious software kit has what The Washington Post's Brian Krebs described in his "Security Fix" column on May 7 as a 'nuclear option.'"
Dark Market infiltrator claims that hackers are involved in organised crime - www.securecomputing.net.au - 05/12/09 - "The FBI agent who infiltrated a notorious hacker community has spoken about his experiences. Agent J. Keith Mularski spent two years infiltrating the Dark Market forum before members were arrested in September 2008."
Skimming device found at Kington Co-op cashpoint - www.herefordtimes.com - 05/12/09 - "TWO men were arrested last Friday (May 8) after a skimming device was found at a Kington cashpoint. Police made the discovery at around 9.15pm after being called to the town’s Co-op supermarket. The men, both Eastern European and thought to be from the London area, were apprehended by officers after card cloning equipment used to commit fraud was found on the ATM there."
Debit card skimming group arrested - www.empirestatenews.net - 05/12/09 - "An investigation conducted by Cicero Police Department, Syracuse Police Department, New York State Police and the U.S Secret Service into several grand larceny complaints in Cicero, New York came to a successful conclusion with the arrest of four Romanian men in Florida."
Woman pleads guilty in LR credit card scheme - www.wxvt.com - 05/12/09 - "A woman accused of helping three men steal credit card information from diners at two Little Rock restaurants has pleaded guilty to a conspiracy charge. Chantell Denise Bentley, who is 36, pleaded guilty Monday to conspiring to commit access-device fraud. She will be sentenced at a later date."
Woman Finds Credit Card Statements Unprotected Online - www.theindychannel.com - 05/12/09 - "A major credit card company is investigating how more than a hundred statements were made available online after an Indiana woman alerted them to the problem. Constance Wilson had logged in to pay her Aspire Visa card bill when she instantly had access to 120 other statements from people in Indiana and 31 other states, Call 6's Rafael Sanchez reported."
Mobile phone technology developed to cut down credit card fraud - www.scmagazineuk.com - 05/12/09 - "Mobile phone technology that can locate a person and determine if a credit card transaction is fraudulent has been developed by Ericsson IPX. Following incidents where members of the IPX team had been victims of credit card fraud and had their cards blocked due to ‘unusual activity', IPX has developed the technology that can determine where a user is geographically in around two seconds."
Heartland Data Breach: Is End-to-End Encryption the Answer? - www.bankinfosecurity.com - 05/11/09 - "The announcement by Heartland Payment Systems (HPY) that it will offer its merchants end-to-end encryption capabilities is seen as a positive step by industry experts. Yet, these same experts also warn that this measure will not solve all of the security issues that Heartland and other payment processors face from hackers. In Heartland's first-quarter earnings call last Thursday, company officials said so far last year's well-publicized data breach has cost them $12.6 million. "
Heartland’s New Encryption Strategy: Let Them In, But Limit Them - www.storefrontbacktalk.com - 05/11/09 - "Late this year, databreach victim Heartland Payment Systems will roll out its version of end-to-end encryption, leveraging a Tamper-Resistant Security Module. But the encryption-key strategy behind it is willing to allow cyber thieves to get some data, as long as it’s not enough for them to make any money from that information. Making the hardware technology part work will be comparatively easy, compared with the task of getting retailers to buy in, along with getting the backing of Visa, MasterCard, AmericanExpress and other card brands."
Heartland CEO Vows To Fight MasterCard Breach Fines Of $6 Million-Plus - www.storefrontbacktalk.com - 05/11/09 - "Heartland Payment Systems has apparently decided that being a data breach victim doesn’t mean that it has to be victimized by the card brands. At least that’s the impression from how Heartland CEO Robert Carr is reacting to more than $6 million in fines imposed on it by MasterCard, fines that that he said were illegal and that he plans to 'vigorously contest.'"
ATMs on Staten Island rigged for identity theft; bandits steal $500G - www.nydailynews.com - 05/11/09 - "A band of brazen thieves ripped off hundreds of New Yorkers by rigging ATMs to steal account and password information from bank customers. They used the pilfered info to swipe half a million dollars from their victims' bank accounts - the latest twist in increasingly aggressive identity-theft scams, police said."
Heartland Comes Out Swinging After Data Breach - www.pcworld.com - 05/07/09 - "In the months following the disclosure of what may be the largest data breach in US history, Robert O. Carr, chairman and CEO of Heartland, has come out swinging. Instead of going into a near-death spiral of damage control mitigating the revelation that 100 million customer records leaked during 2008, Carr has been pointing the finger at the payment industry itself for not going far enough with best practices."
Scientist finds card misused (India) - timesofindia.indiatimes.com - 05/07/09 - "The next time you book a movie or flight ticket online, exercise caution. According to cyber cell officials of the Chennai suburban police, several fake websites are hacking into netizens' accounts. The latest one to fall prey to cyber crime is D Rajasekhar, a scientist with the National Institute of Ocean Technology, whose credit card details were stolen to make transactions worth Rs 85,000."
Debit card fraud cases up in SLO, police say - www.sanluisobispo.com - 05/07/09 - "San Luis Obispo Police are warning residents of a recent increase in debit card fraud. Police said Thursday that over the last 10 days, from April 27 through Monday, they have noticed an increase in people reporting debit card fraud in the city. Detectives and U.S. Secret Service Agents have been investigating cases involving stolen debit card information."
Claire's Boutique Clerk Suspected Of ID Theft - www.kcra.com - 05/07/09 - "More than 150 customers at a local boutique may be victims of a credit card skimmer, and detectives want help finding their suspect. Cassandra Montrevel, 23, of Sacramento, is believed to have used a credit card reader while she worked at the Arden Fair Mall Claire's store, according to the Sacramento County Sheriff's Department."
Security breach cost Heartland $12.6 million so far - www.itworld.com - 05/07/09 - "Heartland Payment Systems Thursday reported that the security breach it disclosed earlier this year has cost the company about US$12.6 million so far, including legal costs and fines from MasterCard and Visa, which directly contributed to a $2.5 million loss for the quarter. Heartland also detailed plans to protect its credit- and debit-card processing network with an end-to-end encryption system that it will begin rolling out with its merchants in the third quarter."
Circuit Upholds Remand to State Court Under Home State Exception to CAFA - www.law.com - 05/07/09 - "The 1st U.S. Circuit Court of Appeals recently ruled on an issue of first impression for the circuit by remanding a Class Action Fairness Act case back to state court under CAFA's home state exception to federal jurisdiction. In the May 1 opinion, which followed the lead of a 4th Circuit decision last year, a three-judge panel upheld the U.S. District Court for the District of Maine's remand order to Florida state court."
Raising the Bet: A National Payment Security Standard - www.storefrontbacktalk.com - 05/07/09 - "In the high stakes poker tournament that is the payment processing industry these days, a group of merchants and payment application vendors has raised the bet. Not content to just advise the players (by joining the PCI SSC), a group of merchants and payment system vendors have decided to take a seat at the table by launching their own payment security standard – an American National Standard, under the auspices of the ASC X9 standards committee."
PCI SSC Standards Trainings in Sydney and Atlanta - www.pcisecuritystandards.org - 05/06/09 - "This is a 2-day training course based directly on the PCI SSC Qualified Security Assessor (QSA) training program. Attendees will learn what the QSAs learn so they can better prepare for an on-site PCI DSS assessment or perform the assessment internally. This is not a certification course. The course will cover: PCI Program, Scoping a PCI DSS Assessment, PCI DSS v1.2 Requirements and Compensating Controls."
Police Warn of Credit and Debit Card Skimming - www.lasvegasnow.com - 05/05/09 - "Thieves are waiting at gas stations to commit a stealthy and growing crime. When you use your credit card, they have a way of getting the number and then getting your money. It's called skimming and it's taking place at several gas stations around town. Using technology, thieves are able to read the magnetic strip on your card, and it's a growing problem. Last year, Metro only had 30 skimming cases. Last month alone they had 30, but there are some ways you can protect yourself."
Symantec Exec Touts Automation as Security Solution at RSA 2009 - www.fusionauthority.com - 05/05/09 - "'The current security model isn't working. It's time for us to change how we approach security,' said Enrique Salem, President and CEO of Symantec Corporation at RSA Conference 2009. The widely distributed single threats of the past have given way to large numbers of highly targeted microthreats. 'Today's servers are auto-generating malware at a very rapid rate, and they are targeted. They are targeted at individuals, they are targeted at trying to steal confidential information.'"
Terrorism funded with stolen data - www.greensheet.com - 05/04/09 - "Andrew R. Cochran, founder and Co-Editor of the Counterterrorism Blog, delivered a statement dated March 31, 2009, to the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Hearing, United States House Committee on Homeland Security. The statement entitled "Do the Payment Card Industry Data Standards Reduce Cybercrime?" outlined a number of instances in which stolen U.S. credit cards were used to fund terrorist attacks."
Skimming device found on bank ATM in Colorado - www.koaa.com - 05/04/09 - "A skimming device was found on a bank ATM in the Denver suburb of Westminster. The skimming device allows thieves to steal your personal information. It was found on an ATM at First Bank, at 94th Avenue and Sheridan Boulevard. It was found April 23, and could have been there as long as a month."
Romanian man jailed for six months over ATM skim scam - www.news.com.au - 05/04/09 - "Cash-strapped Ioan Selesi, who was in Australia on a tourist visa and did not have the right to work, ordered a skimming device on the Internet and attached it to the security door of a bank in George St, Sydney, in April."
Heartland again PCI compliant - www.securecomputing.net.au - 05/04/09 - "Breached payment card processor Heartland Payment Systems has been again certified compliant with the Payment Card Industry Data Security Standard (PCI DSS), the company announced. In March, two months after the breach was disclosed, Visa removed Heartland from its list of compliant service providers."
Vittorio Tarantino, Alexandru Dragomir and Gabriel Mircea Staicu Arrested and Charged with Fraud and Identity Theft - www.backgroundnow.com - 05/04/09 - "The defendants were arrested on April 17, 2009, on a previously filed complaint. At the arraignment, the court set a $250,000 corporate surety bond for defendants Tarantino and Staicu. However, neither have posted bond and are currently detained. Defendants Dragomir and Staicu were ordered detained pending trial."
Identity Theft Device Found By ATM - www.krdo.com - 05/02/09 - "A "skimming device" used to steal information from credit and debit cards has been found near an ATM at a First Bank Branch in Westminister. The device has been sent to a Secret Service lab for further examination. According to police, skimming devices read the magnetic strip on debit and credit cards as they're inserted into an ATM."
The TJX Case: It Lives! With a New Theory of Liability: “Unfairness” - www.infoseccompliance.com - 05/02/09 - "Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via VISA and Mastercard dispute resolution processes."
Debit Card Skimming Group Arrested and Charged With Fraud and Identity Theft - http://www.freerepublic.com - 05/01/09 - "R. Alexander Acosta, United States Attorney for the Southern District of Florida, Jonathan I. Solomon, Special Agent in Charge, Federal Bureau of Investigation (FBI), Miami Field Office, and Michael K. Fithen, Special Agent in Charge, U.S. Secret Service (USSS), Miami Field Office, announced that defendants..."
Chip-and-PIN security goes on trial - http://www.securecomputing.net.au - 05/01/09 - "A trial that could prove to be a test case for the security of chip-and-PIN card technology starts today in the UK. Alain Job is suing UK bank Halifax, claiming that a fraudster withdrew £2,100 from his account at cash machines despite the fact he did not lose his card and changed his PIN as soon as he received it. "
Skimming device found near Westminster ATM - www.denverpost.com - 05/01/09 - "Westminster police and the Secret Service have determined that a suspicious device found at an area bank is a skimming device. The information-stealing device was found April 23 on the ground next to a First Bank ATM at West 94th Avenue and Sheridan Boulevard. The ATM was last serviced on March 22, but police can't determined how long the skimmer was on the ATM."
LexisNexis warns 32,000 people about data breach - www.kansascity.com - 05/01/09 - "The LexisNexis online information service Friday told 32,000 people that their personal information might have been improperly accessed by former customers. Postal officials said at least some of the information appeared to have been used in a credit card fraud scheme that had bilked about 300 people."
Indiana Legislation Penalizes ID Thieves - www.insurancejournal.com - 05/01/09 - "An Indiana bill that would strengthen protections against identity theft is poised to win final approval from the Indiana General Assembly and move to the governor's desk. House Enrolled Act 1121, the identity-theft protection legislation, already has passed once in the Indiana House and state Senate; and a concurrence vote in the House is anticipated soon."

April 2009

Ooops! Music downloader releases employees' info on Web - www.wbbm780.com - 04/30/09 - "Investigators for the Illinois Attorney General's office believe a state employee downloading music to a laptop computer accidentally caused the release of personal information about Department on Aging personnel and former employees."
Merchant Group Pushes Card-Security Standard in Parallel to PCI - www.computerworld.com - 04/30/09 - "A payments-focused group of heavyweight merchants is emerging from obscurity to push for new standards to protect credit and debit card data. But just how these standards would complement or possibly conflict with the existing Payment Card Industry data-security standard (PCI) remains unknown."
New standard for encrypting card data in the works; backers include Heartland - www.computerworld.com - 04/30/09 - "The same organization that led the development of security standards for payment-card magnetic stripe data and PIN-based transactions will soon begin work on a new specification for encrypting cardholder data while it is in transit between systems during the transaction process."
PCI’s Grading System Is Failing - www.storefrontbacktalk.com - 04/29/09 - "For months, retailers and Congress have been attacking retail security standards, but few realize that the problem is not in the standard itself. The problem is a grading system that causes most retailers to be out of compliance most of the time because the rules require 100 percent compliance. How often in school did you score 100 percent?"
A bigger bite for Visa, MasterCard - www.greensheet.com - 04/27/09 - "We have all read the articles. Interchange and the issuing banks that benefit from interchange hikes are under assault from merchants and merchant groups concerned about the impact of increased interchange. The U.S. Congress is considering laws to regulate interchange. Given the precarious financial position of most banks, I do not believe such laws will pass anytime soon, but the threat is real."
FBI deploys cyber agents worldwide - www.securecomputing.net.au - 04/27/09 - "'The FBI has made cybercrime one of its top three priorities and currently has full time cyber officers deployed in 60 countries', Shawn Henry, assistant director for the agency's Cyber Division, said at the RSA conference last week. Through those efforts we have arrested almost 100 people, recovered millions of dollars,' Henry said. 'There's been tremendous success; we want to deploy agents in more countries too.'"
Data Security Breaches Present Emerging Risks, Opportunities for Agents - www.insurancejournal.com - 04/27/09 - "Data security represents both a new market opportunity to sell insurance coverage and a new risk — especially for independent insurance agencies that may not be compliant with data security laws or have plans in place to protect their own companies from data breaches."
Rash of debit card scams under investigation - www.macon.com - 04/25/09 - "Wednesday was payday for Ralph Hill. Knowing that money would be in his account, he went to a Robins Federal Credit Union ATM in downtown Macon just before 4 p.m. to withdraw cash for his car tax. But the automated teller machine flashed a message asking him to go inside the bank branch."
Former DOH Employee Arrested For Credit Card Theft - www.ny1.com - 04/24/09 - "A former city Health Department employee and two others are under arrest for stealing credit card information from residents who ordered duplicate birth certificates from the department. The investigation into the alleged fraud began when officials discovered dozens of blank birth certificates."
You Can’t Set It And Forget It with PCI, Network Execs Say - www.digitaltransactions.net - 04/24/09 - "The Payment Card Industry data-security standard (PCI) is a favorite punching bag of merchants, but executives from Visa Inc. and MasterCard Inc. defended the set of security rules before an audience of independent sales organizations as the best tool available for keeping cardholder information safe from computer hackers."
Investigators have suspects in debit card fraud scheme affecting Macon, Bibb residents - www.macon.com - 04/24/09 - "Investigators have identified suspects in a debit card fraud scheme affecting more than two dozen Macon and Bibb County residents. Unidentified men, last seen in a late model black or dark blue Honda Odyssey mini-van, are accused of using residents’ debit card information to withdraw money at automated teller machine locations at bank branches in the north Atlanta area, according to a Bibb County Sheriff’s Office news release."
Avoid these debit card traps (India) - www.intoday.in - 04/24/09 - "In December 2007, the police in Chennai arrested a 28-year-old man after he had fooled many people and got their debit card details on the phone. Because the young man pretended to be calling from the bank, several debit card holders unsuspectingly gave away even their secret PINs (personal identification numbers) and other card details."
Layer up for security, say RSA experts - www.securecomputing.net.au - 04/23/09 - "A panel of network security experts have warned administrators to steer clear of so-called 'magic bullet' offerings. The group spoke to a crowd at this week's RSA conference on the virtues of using multiple security solutions and pursuing a 'defence in depth' philosophy for securing their networks."
Massive UK and US botnet uncovered - www.securecomputing.net.au - 04/23/09 - "A botnet of nearly two million compromised computers, most of them in the UK and US, has been discovered by web security firm Finjan. The botnet is notable not just because of its scale, but also the speed with which it was formed and the fact that many government and corporate PCs, as well as consumer devices, were infected."
FBI agent discusses big cybercrime bust - www.securecomputing.net.au - 04/22/09 - "The man responsible for a recent cybercrime bust has shared his experiences at the RSA conference in San Francisco. FBI agent Keith Mularski told a panel on the conference about his two-year undercover experience as a member and later moderator of the cybercrime forum 'Dark Market.' The forum was shut down last October following the arrest of nearly all its founders and administrators."
Why Most PCI Self-Assessments Are Wrong - www.storefrontbacktalk.com - 04/22/09 - "The reason that so many PCI self-assessments are wrong is that they focus on the mainstream business processes of the company. They often ignore a lot of “back-channel” or “just-in-case” practices that result in card data coming into the company not protected by the various PCI and other data security measures to protect more mainstream applications, data repositories and processes."
Man sues bank over phantom cash machine - www.wired.co.uk - 04/22/09 - "A football coach is suing his bank over "phantom" withdrawals that he says someone made on his account. The withdrawals were made despite the fact that the account was supposed to be protected by the chip-and-PIN system implemented to prevent such crime."
Secure POS Vendor Alliance Overview Webinar - www.verifone.com - 04/22/09 - "Hypercom (NYSE: HYC), Ingenico, S.A. (EURONEXT: ING) and VeriFone (NYSE: PAY) announced the formation of the Secure POS Vendor Alliance (SPVA: www.spva.org), a non-profit business organization chartered with implementing common payment security standards among vendors of secure point-of-sale (POS) devices used by retailers, acquirers and cardholders alike. The session number is 750 998 655 and the registration password is Spva123"
Is PCI the Humpty Dumpty of Information Security? - blogs.bankinfosecurity.com - 04/21/09 - "As I reviewed the testimony from the other week's hearing on the Payment Card Industry Data Security Standard (PCI DSS) in Washington, D.C., a nursery rhyme popped into my head."
Credit Card Skimmer Found Inside Gas Pump in Pismo - www.kcoy.com - 04/21/09 - "Pismo Beach Police say someone forced their way inside gas pump number four at the Unocal 76 Station on Five Cities Drive by picking the lock and installing the "skimming" device on the inside of the machine."
Romanian credit card scan gang thwarted by member of public - www.thisissouthdevon.co.uk - 04/21/09 - "THREE Romanians with sophisticated credit card scanning and skimming equipment were caught after a sharp-eyed member of the public alerted the authorities. Exeter Crown Court heard a miniature camera was inserted into the cash machine outside Barclays Bank in Newton Abbot to take pictures of customer cards and their PINs."
Decrypting Retail Card Data Security - www.verifone.com - 04/21/09 - "Retailer environments are just too complex to completely and constantly lock down against all intruders. Encrypting cardholder data from end-to-end may be the only way to meet current security requirements. But not all encryption solutions can fully meet the task. This white paper reviews the alternatives and explains the things a retailer should look for when evaluating an encryption solution."
Here's What A Card Skimmer Looks Like On An ATM - www.consumerist.com - 04/21/09 - "A lot of you have been asking to see what a skimmer looks like before it's yanked off an ATM. Are they easy to spot or virtually unnoticeable? Our reader Timeus works for a bank and deals with this sort of thing every day, and he sent in the following photos. Enjoy."
VeriFone Announces PAYware SIM to Securely Integrate Payment Devices with Windows-Based Software - www.verifone.com - 04/21/09 - "VeriFone Holdings, Inc. (NYSE: PAY), today announced PAYware SIM, providing a single interface to simply and securely integrate Windows-based POS systems with VeriFone’s secure payment software solutions and consumer activated acceptance devices. The developer tool isolates sensitive cardholder data from the POS application, and is designed to greatly reduce the complexity and associated costs of achieving compliance with PCI and PA DSS requirements."
Filling in the Gaps - www.verticalsystemsreseller.com - 04/21/09 - "Those embarrassing leaks! For retailers, those mortifying moments are related to the data leaking out of their wireless networks, thanks to poor security. For the second year in a row, Motorola AirDefense sent agents out to 4,161 stores at shopping malls and plazas across the globe in their own pedestrian version of war driving. Armed with laptops, these investigators sniffed around for access to retailers' wireless networks and devices, seeing what is leaking out."
Visa, Mastercard Shut Down Scareware Distributor - www.electran.org - 04/21/09 - "In what appears to be an unusual move, security representatives from both MasterCard and Visa have intervened to force a German merchant processing company to halt processing for a Web-based merchant implicated in the distribution of so-called "scareware." The move came after a report in the Washington Post said the merchant, TrafficConverter2.biz, was using an affiliate program to distribute software that installs itself on personal computers, flashes warnings of virus infections, and markets a program to remove the infections."
6 held as int'l. credit scam is detected in U. Darby - www.philly.com - 04/21/09 - "Six people allegedly involved in an international credit-card-scam ring are now behind bars on $500,000 bail each and under investigation by the Secret Service after police found their booty strewn across beds in an Upper Darby motel Friday. A woman in Pasadena, Calif., was stumped when she checked her credit-card account Friday and realized it had just been used to rent two rooms at the Summit Motor Inn on Township Line Road, Upper Darby Police Superintendent Michael Chitwood said."
Organised crime gangs use malware to target PINs - www.australianit.news.com.au - 04/21/09 - "ORGANISED crime gangs are custom-building malware to target specific data in specific businesses, resulting in a surge in the volume and value of thefts. The Verizon Business Investigative Response Team, which handles data breaches on behalf of major corporations, finds 90 breaches yielded 285 million separate records last year."
US Companies Still Underestimate Impact of Data Breaches, Says Hiscox Risk Report - news.prnewswire.com - 04/20/09 - "Thirty-eight percent of Fortune 500 companies surveyed in a new report from Hiscox (LSE: HSX), the international specialist insurer, fail to acknowledge the threat of a data breach in the Risk Factors section of their SEC 10-K filing. Additionally, of the companies that do include the risk of a data breach in their 10-K, 26 percent fail to mention the consequential financial impact while a further 49 percent failed to identify the reputational impact."
Identity and Access Management - www.itweb.co.za - 04/20/09 - "In a perfect world, every action performed by any user in an organisation could be verified. It could be proven that a user was who he claimed to be, that he had the right permissions to use the services he was using, and that those particular actions could be indisputably tied to him."
The Downfall of Chao: Behind the Scenes of an Online Fraudster's Arrest - www.rsa.com - 04/20/09 - "When Chao was arrested in September 2008, something in the veil of anonymity surrounding cyber crime was lifted. This blog will reveal previously undisclosed information regarding this case. Chao was the brain behind Crime Enforcers, a busy assembly line of ATM and Point of Sale card skimmers. For eight years he ascended the criminal underground ladder, until he became a name every cyber criminal recognized."
VeriFone Extends End-to-End Encryption Across Product Lines - www.verifone.com - 04/20/09 - "VeriFone Holdings, Inc. (NYSE: PAY), today announced it has extended its VeriShield Protect solution to provide end-to-end encryption capabilities across multiple product lines, including Vx Solutions, PAYware Transact, and as a managed service. VeriFone also announced a new secure magstripe reader that connects to electronic cash registers (ECRs) and PCs."
Decrypting Retail Card Data Security - www.verifone.com - 04/20/09 - "VeriFone has just released a security white paper describing the evaluation of end-to-end encryption technologies."
Reader Finds Another Card Skimmer On ATM - www.consumerist.com - 04/19/09 - "Kelly sent us these pics of a card skimmer she found yesterday on a Bank of America ATM in Atlanta. She writes, "I asked the police what to do; they said give it to the bank. I asked the bank what to do, they said give it to the police. I assume that no one has established standard procedures to handle this kind of thing yet." Well if nothing else, send us a photo!"
Debit card scam rips off $20,000 - www.lfpress.ca - 04/18/09 - " Police in St. Marys are investigating a debit card scam that fleeced at least 33 people out of nearly $20,000. It's the second major debit card scam in the region since January. Perth County OPP said a skimming device was installed in an ATM machine at the Bank of Montreal between March 3 and March 7."
Pismo Beach - San Luis Obispo Pump Skimmer - www.sanluisobispo.com - 04/17/09 - "Police recently uncovered what they say is a credit card skimmer installed at a pump at a local gas station. The device was apparently installed to steal credit card information at that particular pump. It was unclear if any credit card numbers were stolen or how long the device had been there."
PCI Standards Training Program 2009 - www.pcisecuritystandards.org - 04/17/09 - "This is a 2-day training course based directly on the PCI SSC Qualified Security Assessor (QSA) training program. Attendees will learn what the QSAs learn so they can better prepare for an on-site PCI DSS assessment or perform the assessment internally. This is not a certification course."
Russian, Euro cybermafia own your data - government.zdnet.com - 04/16/09 - "This report from Verion Business (PDF), as reported in the Washington Post, offers some interesting numbers amid the obvious conclusion that cybercrime is conducted by organized crime."
Burnley skimming cases: How to avoid the cash card scams - www.thisislancashire.co.uk - 04/16/09 - "IT’S a crime that cost Britons £230million last year - and now Burnley has become the latest target for card-skimming fraudsters. Police acted earlier this week after two cash machines in the town were found to have been fitted with elaborate devices designed to steal account details and PIN numbers."
Payment Card security activity lifts in ANZ - voices.washingtonpost.com - 04/16/09 - "The number, scale and sophistication of data breaches fueled by hackers last year is rekindling the debate over the efficacy of the credit card industry's security standards for safeguarding customer data. All merchants that handle credit and debit card data are required to show that they have met the payment card industry data security standards (PCI DSS), a set of technical and operational requirements designed to safeguard cardholder information from theft or unauthorized access."
Over 280 million records compromised last year - www.vnunet.com - 04/15/09 - "More than 280 million records were compromised in 2008, according to a new Data Breach Investigations Report from global comms and IT provider Verizon Business. The report was written by the Verizon Business Risk team using first-hand evidence collected from the firm's data breach investigations over 2008."
PIN-Hunting Hackers Finding Plum Targets - www.pcmag.com - 04/15/09 - "Verizon Business reported Wednesday that more records were stolen from businesses during 2008 than during the last four years combined. And how was that done? Most often through default or easily-guessed passwords. According to the "2009 Verizon Business Data Breach Investigations Report," released Wednesday, 285 million records were stolen, virtually all from online sources, in 90 different breaches. "
Visa General PED Frequently Asked Questions - partnernetwork.visa.com - 04/15/09 - "Visa recently updated its Visa General PED Frequently Asked Questions. Of note: Visa announced that they will not require existing installed Fuel Dispensers to upgrade to the forthcoming UPT standard. There is no date yet published when newly installed pumps must meet the yet to be released standard."
BLOTTER: Police reports published April 15 - www.tonawanda-news.com - 04/15/09 - "The investigation into scores of fraudulent transactions using area Citizens Bank customer information has been turned over to agents with the U.S. Secret Service. City of Tonawanda investigators also report an agent now handling the investigation said a Romanian male has been arrested in connection with about 20 such cases that began in the Town of Tonawanda."
Burnley skimming cases: How to avoid the cash card scams - www.lancashiretelegraph.co.uk - 04/15/09 - " A FAKE cash machine front was found by police at a busy high street bank. Police discovered fraudsters had installed a ‘skimming’ device at an ATM at the Abbey branch in St James’ Street, Burnley, after a tip-off from a member of the public."
2009 Verizon Business Data Breach Investigations Report - www.verizonbusiness.com - 04/15/09 - "More electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime, according to the "2009 Verizon Business Data Breach Investigations Report" (DBIR) released Wednesday (April 15)."
Data Security Slugfest: Tokenization Vs End-to-End Encryption - www.storefrontbacktalk.com - 04/15/09 - "In a land “Beyond PCI,” there’s trouble brewing. Issues involving everything from tokenization to end-to-end encryption are being debated and the PCI SSC is hiring a consulting firm to look into the implications of these (and other) technologies and processes."
Five Ways To Survive a Data Breach Investigation - www.computerworld.com - 04/14/09 - "Security experts say it all the time: If a company thinks it has suffered a data security breach, the key to getting at the truth unscathed is to have a response plan in place for what needs to be done and who needs to be in charge of certain tasks. And, as SANS Institute instructor Lenny Zeltser advised in CSOonline's recent How to Respond to an Unexpected IT Security Incident article, "ask lots and lots of questions" before making rash decisions."
PIN Crackers Nab Holy Grail of Bank Card Security - blog.wired.com - 04/14/09 - "Hackers have crossed into new frontiers by devising sophisticated ways to steal large amounts of personal identification numbers, or PINs, protecting credit and debit cards, says an investigator. The attacks involve both unencrypted PINs and encrypted PINs that attackers have found a way to crack, according to an investigator behind a new report looking at the data breaches."
Romanian ATM racket 'global' - www.brisbanetimes.com.au - 04/14/09 - "A high-tech syndicate composed mainly of Romanians is believed to be behind a spate of recent ATM skimming incidents that have targeted almost 40 ATMs in Sydney alone, the Fraud Squad says. Up to a dozen members of the sophisticated gang are believed to have entered the country in recent months, moving between capital cities and attaching skimming devices to ATMs, said Colin Dyson, Commander of the NSW Fraud Squad."
Payment Card security activity lifts in ANZ - computerworld.co.nz - 04/14/09 - "Interest in the Payment Card Industry Data Security Standards (PCI DSS) has ramped up sharply in Australia and New Zealand in the last few months says Ken Celik, ANZ technical manager at data integrity specialist Tripwire. This follows two years of what he says is low interest among merchants and even banks."
Skimmer found on Cirencester cash point (UK) - www.thisisgloucestershire.co.uk - 04/14/09 - "A SCANNING device was found on a cash point at Cirencester. Thieves targeted the Abbey National hole-in-the-wall at Market Place on Saturday, with a skimmer. Alert bank staff contacted police at 8.35am when they spotted the irregularity. Police seized the device and an investigation into who placed the item on the cash point has started."
Latest ATM-Skim Skirmish Illuminates War on Fraud - www.americanbanker.com - 04/13/09 - "The PCI standard, long touted as one of the private sector's strongest attempts to regulate itself on IT security, is increasingly being slammed by critics who claim that the rules aren't doing enough to protect credit and debit card data. And amid all the complaints, Visa Inc. — the standard's biggest proponent — is working one-on-one with banks and retailers to test new security measures that go beyond the controls currently mandated by PCI."
PCI security rules may require reinforcements - www.computerworld.com - 04/13/09 - "The PCI standard, long touted as one of the private sector's strongest attempts to regulate itself on IT security, is increasingly being slammed by critics who claim that the rules aren't doing enough to protect credit and debit card data. And amid all the complaints, Visa Inc. — the standard's biggest proponent — is working one-on-one with banks and retailers to test new security measures that go beyond the controls currently mandated by PCI."
Steal This Database - www.forbes.com - 04/13/09 - "Among the companies talking about their information security products at the upcoming RSA Conference in San Francisco, one pitch stands out: "Go ahead and steal this database." Due to a rise in employee-based data breaches and increasing pressure to comply with a growing number of security-related rules and regulations, a new crop of vendors have emerged selling fake databases that look and function as if they're the real thing."
3 held for international credit card fraud (India) - scamsters.blogspot.com - 04/13/09 - "Increased vigil on lodges across the city, in view of the elections, resulted in the busting of an international credit card fraud on Monday. Three of the six-member gang were arrested and 85 cloned credit cards of various banks along with a skimmer, laptop, jewellery and other valuables was seized from them."
ATM "Skimming" Suspect Arrested - www.rochesterhomepage.net - 04/13/09 - "A warning tonight why you should be extra cautious at the ATM. It's called ATM skimming and a Romanian man is accused of stealing thousand of dollars from people in Western New York using it."
Latest ATM-Skim Skirmish Illuminates War on Fraud - www.industrywatch.com - 04/10/09 - "An automated teller machine skimming scam exposed last week is shining a light on the never-ending "arms race" in security technology. NCR Corp. has said it widened the gap a year ago with the introduction of its tamper-resistant SelfServ line, which is equipped with a fraudulent device inhibitor - a design feature meant to thwart skimming devices that fraudsters affix to ATMs' card slots to glean card data."
Former Employee Accused of Skimming Credit Cards - www.itnews.com.au - 04/09/09 - "A hacker has dumped active credit card numbers of users of the popular Web Hosting Talk forums online less than 24 hours after the site restored the lion’s share of data deleted in an initial breach."
Washington And PCI Are A Terrifying Combo - www.storefrontbacktalk.com - 04/08/09 - "The fallout continues from last month’s U.S. congressional hearings about PCI.Based on quite a few retailers I’ve talked with since the hearing, about one third of the PCI managers are beginning to sense that their upper management will use these hearings, and the breaches of Heartland and RBS WorldPay, as excuses to cut PCI compliance spending."
Modern Malware Threats and Countermeasures - www.webbuyersguide.com - 04/06/09 - "Spyware, or its more correct term malware, is an ever-evolving beast of software development that today ties heavily into the desire for financial gain. Malware developers are no longer disgruntled kids writing scripts from the computer in their grandmother’s basement. Today, malware is big business, and with big business comes software sophistication. This free 19-page eBook discusses how the landscape of malware code has evolved to become a major underground industry."
Former Employee Accused of Skimming Credit Cards - www.khsltv.com - 04/06/09 - "A former employee at a Redding restaurant is accused of stealing credit card information from customers. The employee once worked at New China restaurant in Redding. He moved to Southern California in February, but not before skimming credit card information from several customers."
Former Best Buy cashier, 2 others plead guilty in credit card racket - www.sun-sentinel.com - 04/06/09 - "A former Best Buy employee and two South Florida men pleaded guilty to charges they conspired to steal credit card numbers of customers who shopped at the West Palm Beach consumer electronics store in November and December."
Reader Finds Card Skimmer On Bank ATM - www.consumerist.com - 04/06/09 - "Dan says over the weekend he discovered a card skimmer attached to the ATM at his local WaMu branch. He pulled it off and took photos of it."
Federal Judge In Hannaford Databreach Case To Decide Responsibility Issues - www.storefrontbacktalk.com - 04/05/09 - "A federal judge in Maine is promising to issue a decision imminently about whether a databreach class action lawsuit against Hannaford will be allowed to proceed. The arguments before U.S. District Court Judge D. Brock Hornby in the Hannaford case are almost identical to those put in front of another federal judge in late 2007 overseeing the TJX databreach."
Police close in on card skimming syndicates - www.iol.co.za - 04/05/09 - "Police have collated intelligence and are moving in on the "big fish" behind credit card skimming syndicates across the country following the arrest of dozens of restaurant staff in the last few months."
Key Data Security Compliance Dates - usa.visa.com - 04/03/09 - "Visa finally put all of their compliance dates from their different programs on a single web page."
PCI/DSS (and more!) Workshop - www.treasuryinstitute.org - 04/03/09 - "The Treasury Institute for Higher Education is putting on a PCI DSS Workshop May 4-6 to cover PCI as well as Red Flag Issues. More information can be found at their web site."
New Device Can Stop ATM Skimming - www.fox5vegas.com - 04/03/09 - "It’s a growing threat for ATMs and the people who use them. Skimming is one of the fastest growing fraud risks facing both consumers and banks."
US plans national cybersecurity upgrade - www.securecomputing.net.au - 04/02/09 - "New bill would enforce security for critical infrastructure. The bill, sponsored by Senators John D. Rockefeller IV Olympia J. Snowe, would see the creation of a National Cybersecurity Advisor (NCA) with direct access to the president."
Retailers: Proposed bill creates problems for business owners - www.timesdaily.com - 04/02/09 - "Credit unions and retailers reacted differently Wednesday to two proposed Alabama bills that would require businesses to notify residents when personal information accessible by computer has been breached. The companion bills, introduced this week by Rep. Tammy Irons, D-Florence, and Sen. Roger Bedford, D-Russellville, are aimed to protect consumers against personal data theft from computers. The bill would put the liability of computer breaches on businesses."
Police Say Debit Card Skimming Rampant in Las Vegas - www.lasvegasnow.com - 04/02/09 - "You may want to think twice about swiping your debit card at a gas station pump. Metro has a warning about high-tech thieves out to rip you off and steal your identity. Police have known about the problem for awhile, but they say it's now worse than ever. You pull out the plastic, swipe your card, and just like that crooks have your information from the magnetic stripe and your identity is stolen."
Three charged in ATM skimming operation - www.newsdurhamregion.com - 04/02/09 - "Durham fraud investigators assisted in an investigation that resulted in the arrest of three suspects in a wide-ranging debit-card skimming operation."
Judge to decide if Hannaford data breach should go to trial - pressherald.mainetoday.com - 04/02/09 - "A federal judge said he will decide in the next few days whether supermarket giant Hannaford Bros. is potentially liable for damages because of a data breach that exposed more than 4 million credit and debit card numbers to computer hackers."
Do the Payment Card Industry Data Standards Reduce Cybercrime? - The House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology - 04/02/09 - "The House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, which is part of the Homeland Security Committee, chaired by Yvette Clarke (D-NY) held a hearing on Tuesday, March 31, 2009 titled 'Do the Payment Card Industry Data Standards Reduce Cybercrime?'"
With End-to-End Encryption, Whose End Is Getting Protected? - www.storefrontbacktalk.com - 04/02/09 - "In a piece last week, we talked about a series of future security offerings that Visa is pushing, including a comment from a Fifth Third Bank executive that end-to-end encryption has logistical challenges, especially “a tremendous key management issue.” "
3 held for international credit card fraud - www.expressbuzz.com - 04/01/09 - "Increased vigil on lodges across the city, in view of the elections, resulted in the busting of an international credit card fraud on Monday. Three of the six-member gang were arrested and 85 cloned credit cards of various banks along with a skimmer, laptop, jewellery and other valuables was seized from them."
A New Approach for Protecting Data All the Way Down the Line - www.technewsworld.com - 04/01/09 - "Events in recent months have proven that just because you're up to speed with privacy and security regulations doesn't mean you won't suffer a data breach. The new bottom line is that organizations need to think more carefully and more creatively about managing and protecting data, writes Voltage's Mark Bower, and it's going to take more than checking off compliance boxes."
Diary of a Data Breach Investigation - www.csoonline.com - 04/01/09 - "When the CISO asks to speak to you with that look on his face, you know the news isn't good. We were contacted by one of our third-party vendors, whom we had hired to do analysis on our website traffic. It appears that we have been passing sensitive information to them over the Internet. This sensitive information included data, such as customer names, addresses and credit card information."
Mastercard Adds 3 New PCI Education Modules to the On Demand Webinar Series - MasterCard Worldwide - 04/01/09 - "In continuing our efforts to broaden adoption and awareness of the PCI DSS, MasterCard will be adding three new modules based on industry feedback to expand on current offerings of the PCI Merchant Education Program On Demand Webinar Series."
VeriFone and MasterCard Worldwide Host New Merchant Education Seminar on PCI Compliance - VeriFone & MasterCard Worldwide - 04/01/09 - "VeriFone Holdings, Inc. (NYSE: PAY) and MasterCard Worldwide today announced a new online seminar for merchants to help them optimize their business through managing fraud and reputational risk. The new seminar, “Payment Application Vendors and PA-DSS,” expands MasterCard’s PCI Merchant Education Program, an initiative offered to MasterCard acquiring bank customers to provide practical assistance in educating merchants and encouraging broader adoption of the Payment Card Industry Data Security Standard (PCI DSS)."
CRIME: Police investigating cases of identity theft - www.tonawanda-news.com - 04/01/09 - "Most people are cautious when they’re at the ATM with others around, but sneaky technology can take down card and PIN information even when no one is in sight. A rash of identity theft cases have led police to investigate whether criminals are using a device called a card skimmer to steal information from unsuspecting bankers."
It May be Time to Switch Card Processors - www.storefrontbacktalk.com - 04/01/09 - "There is a lot of dissatisfaction in the merchant community with their card processors. Cost is, of course, the major concern: Many of the merchants I spoke with are trying to get their per-transaction costs as low as possible. But they are also unhappy about downgrade charges, the indecipherable bills, the lack of help from their representatives, and what they view as the coercive nature of the relationship."

March 2009

Panels describe risks of noncompliance with Mass. data protection law - searchcompliance.techtarget.com - 03/31/09 - "The recent extension of the Massachusetts data protection law, 201 CMR 17.00, to Jan. 1 due to concerns over the costs of preparation and implementation may still not give businesses enough time to become compliant with the new law."
Technology is advancing crime in Middle Ga. (Fuel Pump Skimmer) - www.wmgt.com - 03/31/09 - "Technology has advanced almost everything we do in our everyday lives, but it may be hurting you without you knowing it. Criminals are using technology to become more creative. "Technology opens up new avenues for crooks," said Kelvin Collins, President and CEO of the Better Business Bureau."
NRF Calls PCI Standards 'Elaborate Patch,' Tells Congress Retailers Should Not Be Required to... - www.forbes.com - 03/31/09 - "The National Retail Federation told a congressional panel today that security standards imposed on merchants by the credit card industry are only "an elaborate patch," and that a system in which retailers would not be required to store card numbers would do a better job of protecting consumers against credit card fraud."
Visa, MasterCard In Security Hot Seat - www.forbes.com - 03/31/09 - "Criminal hackers aren't just hard to catch. They're also hard to blame. In security breach cases last year, such as Hannaford Bros. supermarket and the card processing firm Heartland Payment Systems, the cybercriminals who gained access to millions of consumers' credit card details haven't been--and may never be--identified or prosecuted."
Retailers: Credit card data inadequately protected - news.cnet.com - 03/31/09 - "The self-regulatory system credit card companies have created to protect consumer data sacrifices some consumer protections for the sake of conveniencing the credit card companies and their financial institution partners, retail representatives told Congress Tuesday."
Washington D.C. Restaurants Become Credit Card Cloning Hot Spots - blog.wired.com - 03/30/09 - "Four former servers at three upscale Washington D.C. restaurants blocks from the White House were arrested last week for allegedly using covert skimming devices to clone customer credit card data, in a year-long counterfeiting operation that's put $750,000 in fraudulent charges on the plastic of Washington's elite."
Solving the hacking problem - www.securecomputing.net.au - 03/30/09 - "To avoid hacking and malicious alteration of the application, software companies are turning to new anti-tamper solutions that will protect the entire application, as well as maintain code integrity."
Possible Heartland Suspect Details Emerge - www.storefrontbacktalk.com - 03/30/09 - "An accused Israeli cyberthief arrested in Canada last year may prove to be involved in the Heartland data breach, according to one report. Ehud Tenenbau, known by the handle “The Analyzer,” is quite possibly involved in both the RBS WorldPay breach as well as the breach at Heartland, as law enforcement officials “have used similar language to describe an international conspiracy that is targeting multiple financial institutions,” reports the Information Security Resources blog."
Thieves go on e-shopping spree with credit card data - timesofindia.indiatimes.com - 03/29/09 - "Even petty thieves are discovering the treasure trove that is the Internet, which has now become their new hunting and looting ground. The Saki Naka police recently arrested two persons, Abdul Wajeed and Muzzamil Sheikh, for allegedly obtaining credit card numbers and other sensitive information from unsuspecting consumers and using them to shop for electronic items online. "
Vast Spy System Loots Computers in 103 Countries - www.nytimes.com - 03/28/09 - "A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded."
Stimulus Bill Includes First (and Maybe Only) Federal Data Breach Notification Law - www.itbusinessedge.com - 03/26/09 - "Among tax cuts and credits, more bailout funds and restrictions on executive pay packages, the American Recovery and Reinvestment Act (ARRA) also includes a section that introduces the first federally-mandated data breach notification law."
Now in Pilot, Visa’s Consumer Alerts Set to Roll out Later This Year - www.digitaltransactions.net - 03/27/09 - "Visa Inc. is taking steps to more actively recruit consumers in its fraud-fighting efforts, including the development of an early-warning system that notifies cardholders in real-time when their cards are being used. Visa’s Transaction Alert system, currently in pilot at banks including U.S. Bank, PNC Corp., and Wells Fargo & Co., notifies cardholders via e-mail or mobile phones when their cards are being used for a purchase."
'Contactless' credit cards spark concerns for data privacy - www.creditcards.com - 03/26/09 - "The credit card swiper you now use at the checkout counter may eventually be obsolete, but privacy advocates question whether no-swipe "contactless" cards are more for convenience and less about keeping customers' data safely protected. "
'Contactless' credit cards spark concerns for data privacy - www.creditcards.com - 03/26/09 - "The credit card swiper you now use at the checkout counter may eventually be obsolete, but privacy advocates question whether no-swipe "contactless" cards are more for convenience and less about keeping customers' data safely protected. "
Desired state: Retailers get compliant with PCI - www.scmagazineus.com - 03/26/09 - "Technology is not the first term that comes to mind when thinking about a hair cut. But for hair salon operator Regis Corporation the behind-the-scenes technology of its business became a significant concern."
A token of payments to come - www.greensheet.com - 03/26/09 - "Merchants typically incur significant costs to become Payment Card Industry (PCI) Data Security Standard (DSS) compliant and face the prospect of hefty fines if they are determined to be noncompliant – not to mention the operational and reputational damage data breaches can cause."
Feedback: In Defense Of The PCI Data Security Standard - www.informationweek.com - 03/26/09 - "We've all seen the news stories about threats to data security, including recent disclosures of large-scale breaches. So it's understandable--perhaps inevitable--that questions would surface about the viability of the Payment Card Industry Data Security Standard."
ATM 'Skimming' Suspects Sought - www.myfoxphilly.com - 03/25/09 - "Police are tracking a team of alleged ATM bandits. They say they have pictures catching them red-handed, stealing your card numbers and your codes. They're accused of hitting ATMs all over the area. Police say their suspects have snatched tens of thousands of dollars in your money.
PCI, customer data and the kiosk - www.kioskmarketplace.com - 03/25/09 - "If customer-data security was a big issue before, it became gargantuan in 2007, following the infamous TJX Companies security breach. More than 45 million customer records were compromised, causing the company to spend more than $20 million investigating the breach, notifying customers and hiring lawyers for multiple lawsuits.
RBS, Heartland PCI compliance revoked: What's next? - www.greensheet.com - 03/25/09 - "Following a stretch in which no penalty was handed down for two large-scale data breaches, Visa Inc. revoked the Payment Card Industry (PCI) Data Security Standard (DSS) compliant statuses of both Heartland Payment Systems Inc. and RBS WorldPay Inc. on March 13. 2009."
Card-skimming suspects held (South Africa) - www.thestar.co.za - 03/25/09 - "POLICE have arrested five members of a card-skimming gang who were defrauding customers at the Spur restaurant at Cape Town International Airport. Four waitresses were arrested and a card-skimming device was seized by the Commercial Crime Unit last Friday. A fifth waiter, who works in Sea Point, was also arrested."
ATM 'Skimming' Suspects Sought - www.myfoxphilly.com - 03/25/09 - "Police are tracking a team of alleged ATM bandits. They say they have pictures catching them red-handed, stealing your card numbers and your codes. They're accused of hitting ATMs all over the area. Police say their suspects have snatched tens of thousands of dollars in your money"
Police learn to combat identity theft - www.northfulton.com - 03/25/09 - "Ask 27-year Florida Department of Law Enforcement (FDLE) Special Agent Wayne Ivey about identity theft sometime. He can tell you everything you would ever want to know about this mushrooming-white collar Crime."
18 month credit fraud ring investigation leads to three arrests - www.ktnv.com - 03/25/09 - "Box after box, jewelry, DVD players, cars of every size and all of it is now evidence. 'Right now they're astronomically tired,' said Lt. Robert Sebby of his Metro Police team. 'this started Monday morning.'"
Post-PCI: Visa Experiments With More Secure Card Strategies - www.storefrontbacktalk.com - 03/25/09 - "Visa has been experimenting—through retail and processor partners—with several alternative security approaches for its cards, including a challenge and response effort at OfficeMax, a digital card fingerprint-like image at processor Fifth Third and a strict data segregation experiment at McDonalds."
Heartland Taking Names And Kicking POS, With Visa’s Help - www.storefrontbacktalk.com - 03/24/09 - "When Visa sent an E-mail to retailers telling them it was suspending Heartland, the note was explicit in saying that “Heartland will continue to serve as a processor in the Visa system.” But that didn’t stop rivals from recruiting Heartland customers by saying that they could face fines or PCI certification problems if they used them."
WEBINAR: The Real State of PCI - Stores Magazine - 03/24/09 - "PCI encompasses a complex and changing set of requirements that impact a broad array of technologies, all with the intent of protecting card data from an ever-evolving landscape of threats. Join a STORES Knowledge Series webinar at noon Eastern, Tuesday, April 7, to hear some of the common questions retailers are asking about PCI."
'The Analyzer' Hack Probe Widens; $10 Million Allegedly Stolen From U.S. Banks - blog.wired.com - 03/24/09 - "Ehud Tenenbaum, an Israeli hacker arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks, also allegedly hacked two U.S. banks, a credit and debit card distribution company and a payment processor in what U.S. authorities are calling a global "cashout" conspiracy."
Waitress allegedly got $220 for scam - www.marketwatch.com - 03/24/09 - "A waitress at a restaurant in New Orleans' French Quarter has been charged with using a skimmer to harvest credit card numbers. Jaleesa Jimerson, who worked at Bubba Gump Seafood Co., faces 216 criminal counts for crimes that include possessing fraudulent documents and using the skimmer, The Times-Picayune newspaper in New Orleans reported Tuesday."
Iron-Particle 'Fingerprints' Could Thwart Data Thefts - www.fstc.org - 03/24/09 - "Visa Inc. and Fifth Third Bancorp are testing a system that evaluates the physical properties of the iron in the magnetic stripes on payment cards. The companies say these characteristics are different for every card and can function as a financial "fingerprint" that could prevent stolen account data from being used to produce counterfeit cards."
Heartland: Visa won't fine you for doing business with us - www.scmagazineus.com - 03/24/09 - "Heartland Payment Systems is fighting back against competitors it says are falsely informing customers that they face fines if they continue doing business with the breached payment processor. Robert Carr, the Princeton, N.J.-based company's chairman and CEO, said in a letter posted on the firm's breach information website that Heartland has sent cease-and-desist letters to some competitors -- which he did not name -- telling them 'that their untrue and misleading claims are baseless and unlawful.'"
Bethlehem police release photos of ATM scam suspect; police believe Armenian group responsible - www.lehighvalleylive.com - 03/24/09 - "Police said Monday a group of men employed skimmers on ATM machines in the Lehigh Valley as well as Philadelphia and Bucks and Monroe counties. Skimmers at two machines, one on the South Side and one on Catasauqua Road in Bethlehem, led to 286 compromised accounts at Bank of America. The thieves dipped into 34 accounts, stealing $43,625."
Heartland Data Breach: Visa Questions Processor's PCI Compliance - www.bankinfosecurity.com - 03/24/09 - "Despite the Heartland Payment Systems (HPY) data breach and other noted compromises, Visa staunchly supports the Payment Card Industry Data Security Standard (PCI DSS). This is the message from Adrian Phillips, Visa's Deputy Chief Enterprise Risk Officer, who in an exclusive interview hammers home the credit card company's support for the security standard..."
Australian ATM skimming gang nets $500,000 - www.finextra.com - 03/24/09 - "Australian police are hunting thieves suspected of stealing over $500,000 from ANZ customer bank accounts using details obtained from a skimming device attached to a cash machine in Melbourne. Investigators suspect the device has been attached to the ATM intermittently over the past two months, with stolen card details then used to access funds from accounts."
Symantec Says Credit Card Data May Have Leaked From India - www.pcworld.com - 03/23/09 - "Symantec said on Monday that credit card information relating to three of its customers may have been leaked from its call center contractor in India. The company has narrowed down on one employee of the contractor as a possible suspect, and has turned over the information including recorded call data to the police for investigation, a spokesman for Symantec India said on Monday."
Sentence in fraud case reduced - www.newsdurhamregion.com - 03/23/09 - "Ontario's appeals court has reduced the sentence given a man convicted in 2007 of running a debit card skimming operation out of an Oshawa gas bar. In a decision released earlier this month, a panel of justices with the Ontario Court of Appeal ruled the five-year sentence given Serguei Kokoouline for several fraud offences was excessive. The sentence was reduced to a term of three and a half years."
Visa slaps payment processors over breaches, defends PCI rules - www.computerworld.com - 03/23/09 - "Two payment processors that recently disclosed data breaches have been dropped from Visa Inc.'s list of companies that comply with the PCI data security rules. But analysts said the move may be more about Visa protecting itself than about improving the security of payment card data."
ANSI Panel to Standardize Identity Theft Tracking - www.pcworld.com - 03/20/09 - "Know the difference between 'identity theft' and 'identity fraud'? Don't feel bad if you don't. Even within the security industry, within the government, and within law enforcement, the terms are used interchangeably although they are in fact different."
Breach Exposes 19,000 Active US, UK Credit Cards - it.slashdot.org - 03/20/09 - "A defunct payment gateway has exposed as many as 19,000 credit card numbers of US and UK consumers in a major worldwide breach. The data, held in Google cache, includes credit card numbers, CVVs, expiry dates, names and addresses."
Skimmers Found on Pair of Bank ATM's - www.wfmz.com - 03/20/09 - "Police say they're on the lookout for someone stealing account numbers at ATMs in Bethlehem. Police say they've found skimmers on two Bank of American ATMs. One machine is in the 2300 block of Catasauqua Road."
Small Business: The New Black In Cybercrime Targets - www.darkreading.com - 03/19/09 - "Hackers and computer criminals this year are taking a new aim -- directly at small and midsize businesses, according to experts who spoke here today at Visa's annual security event. The consensus: Smaller businesses offer a much more attractive target than larger enterprises that have steeled themselves with years of security spending and compliance efforts."
UK Card-not-present fraud up 13 per cent - www.itpro.co.uk - 03/19/09 - "The main driver for growth in card fraud is on those transactions without chip and PIN protection, the main UK payment industry body, Apacs said today, as it released its fraud figures for 2008. Card-not-present (CNP) fraud losses increased by 13 per cent over the last year to now account for 54 per cent of all card fraud losses."
Preparing Your Application Software for PA-DSS - www.bsminfo.com - 03/19/09 - "In order to protect retailers from purchasing application software that may enable criminals to obtain credit card data, the Payment Card Industry Security Standards Council (PCI SSC) has adopted and brought into line with PCI DSS 1.2 Visa’s Payment Application Best Practices and renamed it Payment Application Data Security Standard (PA-DSS)."
Banking and card fraud hit new highs - www.timesonline.co.uk - 03/19/09 - "Credit and debit card fraud soared to a record £609.9 million last year as criminals found ways of bypassing the chip-and-PIN system, it emerged today. Figures from Apacs, the Association for Payment Clearing Services, show that losses on cards rose by 14 per cent last year, equivalent to £10 for everyone in Britain."
Post-breach criticism of PCI security standard misplaced, Visa exec says - www.computerworld.com - 03/19/09 - "Visa Inc.'s top risk management executive today dismissed what she described as "recent rumblings" about the possible demise of the PCI data security rules as "premature" and "dangerous" to long-term efforts to ensure that credit and debit card data is secure."
Overseas card fraud scam exposed - www.bbc.co.uk - 03/19/09 - "A criminal gang selling UK credit card details stolen from Indian call centres has been exposed by an undercover BBC News investigation. Reporters posing as fraudsters bought UK names, addresses and valid credit card details from a Delhi-based man."
Bethlehem police confirm skimmer was attached to city ATM - www.lehighvalleylive.com - 03/19/09 - "Bethlehem police confirmed today that a Bank of America ATM in the first block of East Third Street had a skimmer -- an illicit data collection device -- attached to it. The bank reported last week that a number of customers had more than $20,000 withdrawn from their accounts by unknown individuals using ATM machines from Allentown to Plainfield, N.J."
PCI SSC Launching New Special Interest Groups - www.pcisecuritystandards.org - 03/18/09 - "The PCI SSC Board of Advisors is sponsoring several exciting special interest groups (SIGs) designed to foster greater understanding of key issues surrounding cardholder data protection and the PCI standards. For more information, please contact sigs@pcisecuritystandards.org."
Dutch supermarket fingerprint payments plan shelved - www.finextra.com - 03/18/09 - "Dutch supermarket chain Albert Heijn has shelved plans to use fingerprint scanning technology as an alternative to card and cash payments at the check-out after a six month trial failed to dispel security concerns."
Data breach exposes 5900 Shell customers - www.thetechherald.com - 03/18/09 - "Oil giant Shell is warning customers in New Zealand and Australia about potential security risks after their information was exposed in a Web site attack. Shell is warning 5900 customers that personal information was exposed after someone broke into a Web site that housed credit applications for Shell fuel cards."
ATM malware may help snatch your cash - www.itwire.com - 03/18/09 - "A prominent security vendor has come across malware targeting ATMs and implementing a virtual card skimmer. Security vendor Sophos has revealed that it has obtained malware samples that appear to specifically target Diebold ATMs. It appears to be an inside job, as it uses undocumented functions of the ATM software and appears to use the printer."
ATM malware may help snatch your cash - www.pioneerlocal.com - 03/17/09 - "The Buffalo Grove Police Department is investigating the possible theft of account data from an automated teller machine at the Bank of America branch on Dundee Road."
NetSPI, VeriFone Team on Industry-Leading PA-DSS Compliance Effort - www.verifone.com - 03/16/09 - "Minneapolis, March 16, 2009 - NetSPI, a leading information-security consulting firm, and VeriFone Holdings, Inc. (NYSE: PAY), have partnered on a pioneering effort to ensure that VeriFone payment device applications comply with the new security standard known as the Payment Application Data Security Standard (PA-DSS)."
Bank cashier guilty of skimming customer cards - www.irishtimes.com - 03/16/09 - "A Bank of Ireland cashier who used an illegal magnetic data skimmer to steal card details, leading to almost €320,000 being taken from 87 customer accounts, has been given a suspended sentence. Darren McComiskey (24), Thornville Road, Kilbarrack, pleaded guilty at Dublin Circuit Criminal Court to stealing the account details and pin numbers from customers he served during his employment at the BOI College Green branch."
Card fraud hits record high despite fortune spent on chip-and-pin security - www.independent.co.uk - 03/15/09 - "Fraud carried out on credit and debit cards is expected to have topped £600m for the first time last year, when banking industry figures are released this week. Despite the introduction nearly five years ago of chip-and-pin security technology, at a cost of hundreds of millions of pounds, the tide of fraud is rising ever higher. "
WEBINAR - Security Challenges of Open Payment Systems for Transit Agencies - www.verifone.com - 03/14/09 - "As transit agencies look to adopt open payment systems and the numerous advantages that will come from an open payment systems approach, they will also be faced with a number of challenges. DATE: March 30, 2009 TIME: 1:00 PM EST"
Columbia Valley - Thieves Skim Bank Accounts (Canada) - bc.rcmp.ca - 03/13/09 - "Between January 20th and 22nd, 2009 unknown culprits entered a local bank in Invermere, BC and attached a "skimming" device to the bank machine. Approximately 34 customer cards were compromised for a total of over $20,000."
Visa, Merchant Council Join Forces with McAfee - www.cxotoday.com - 03/13/09 - "Visa Inc. and Merchant Risk Council have joined the McAfee Initiative to Fight Cybercrime as Advisory Council members. Announcing their entry, McAfee said Visa and the Merchant Risk Council are, by virtue of the communities they represent, familiar with the tremendous damage caused by cyber crime and fraud."
Visa Puts Heartland on Probation Over Security Breach - www.seekingalpha.com - 03/13/09 - "Heartland Payment Systems (HPY), one of the largest credit card processors in North America, is finally being called to the carpet for the apparent lapses in Payment Card Industry Data Security Standards (PCI DSS) that contributed to the largest data breach of 2008, perhaps even the largest breach ever considering the full extent of the exposure has yet to be determined."
BBC builds 22,000 system botnet - www.securecomputing.net.au - 03/13/09 - "A team of journalists and security experts from the BBC said that it has managed to purchase itself a botnet containing more than 22,000 infected PCs. The network was constructed as part of an investigation into cybercrime by the television programme Click. The network said that it obtained access to the infected systems by purchasing information from cybercriminals in chat rooms."
PCI SSC Standards Training - PCI Standards Council - 03/13/09 - "The PCI SSC Standards Training class is based directly on the PCI SSC Qualified Security Assessor (QSA) training program. Attendees will learn what the QSAs learn so they can better prepare for an on-site PCI DSS assessment or perform the assessment internally."
Upcoming Virtual Tradeshow: Straight Talk on PCI DSS Compliance - www.techtarget.com - 03/13/09 - "The requirements of the Payment Card Industry Data Security Standard (PCI DSS) have been subjected to different interpretations by both business and auditors, making it difficult for companies to achieve and maintain PCI compliance. Check out this Live 1 day Virtual Tradeshow and learn the facts on PCI straight from the experts."
Bertucci's Proactively Secures its POS Systems and Corporate Computers - www.bit9.com - 03/13/09 - "Unsupported and unauthorized software downloads created licensing and security risks for this beloved Italian restaurant chain. Find out how Bertucci's used application whitelisting to secure its point of sale and corporate computer systems and demonstrate PCI DSS compliance."
Hacking iTunes Gift Cards, and an iTunes Update - voices.washingtonpost.com - 03/12/09 - "Recently, several media outlets have been running a fascinating story about hackers making oodles of money selling iTunes gift cards activation codes at online auctions, supposedly after cracking the secret algorithm Apple uses to generate voucher codes for iTunes gift cards."
Was MasterCard's decision not to publish security standard a mistake? - www.computerweekly.com - 03/12/09 - "MasterCard may have made a mistake when it rolled out two-factor security for online banking without exposing the technical standards behind it to public scrutiny. NatWest and Barclays have sent about five million readers, based on the MasterCard standard, to their customers so far."
Cybercrime-as-a-service takes off - www.securecomputing.net.au - 03/12/09 - "Malware writers that sell toolkits online for as little as $400 will now configure and host the attacks as a service for another $50, a security expert has said. Speaking at the Vasco Banking Summit in Sydney yesterday, the company's technical account manager, Vlado Vajdic, told delegates that cyber crime was becoming so business-like that online offerings of malicious code often included support and maintenance services."
Maintaining security during retrenchments - www.securecomputing.net.au - 03/12/09 - "With the economy in tatters and layoffs happening so regularly that Internet applications are being created solely to chronicle the firings, the insider threat is rising, as Dan Kaplan explains."
Bank of America reports ATM scam in Lehigh Valley - www.lehighvalleylive.com - 03/12/09 - "City police said Bank of America believes someone is using area ATMs to steal money from customers' accounts. Bank of America reported Tuesday that an ATM scam bilked Lehigh Valley customers out of at least $21,000. The bank said local and federal authorities are investigating."
Coleman calls data breach 'chilling' - www.kare11.com - 03/12/09 - "Republican Norm Coleman calls it "chilling" and "frightening." His campaign learned Tuesday night that someone had compromised private, confidential information from online donors. The campaign sent an e-mail alert to supporters and donors Wednesday."
PCI DSS Masterclass - news.therecord.com - 03/12/09 - "Police are warning area businesses to keep a close eye on their debit machines and check for tampering after two men stole a PIN pad from a Weber Street gas station. Yesterday, police released surveillance footage of the men swiping the device from the counter on Feb. 26."
PCI SSC Standards Training - www.pcisecuritystandards.org - 03/11/09 - "The Payment Card Industry Security Standards Council (PCI SSC) is pleased to announce the first PCI SSC sponsored Standards Training Session taking place April 6-7, 2009 in Chicago, IL."
3 locals arrested for racketeering: skimming credit cards - www.coloradoconnection.com - 03/11/09 - "Three people have been arrested and are being held in the El Paso County Criminal Justice Center, booked on racketeering charges that involved skimming credit cards which were duplicated and used to fraudulently purchase goods. Corey Skinner, Mark Nielsen and Amanda Stillwell are each being held on $100,000 bond."
High-Tech Criminals Target ATMs to Steal Vital Personal Financial Information From Customers - news.prnewswire.com - 03/11/09 - "Skimming - a way criminals use high-tech electronic tools to capture personal financial information and steal money from automated teller machine (ATM) customers - is one of the financial industry's fastest-growing crimes, according to the U.S. Secret Service."
PCI DSS Masterclass - www.itgovernance.co.uk - 03/11/09 - "I am writing to offer you a discount of £100 to attend our PCI DSS Masterclass on 1st April 2009 in London. This 1-day, information-packed masterclass gives you everything you need to know for PCI compliance."
Cardholders Buy Peace of Mind, if Not Security - online.wsj.com - 03/10/09 - "When the going gets tough, the worried buy credit-monitoring services. As the number of data breaches rises, there's a growing cottage industry of companies selling protection to consumers."
iTunes Voucher Codes Hacked - www.trustedreviews.com - 03/10/09 - "Someone hacked an iTunes gift card algorithm. Chinese vendors have been selling spoofed cards with hundreds of dollars of credit for small prices, and apparently this has been going on for half a year at least."
California bill spells out what companies have to say about data breaches - www.computerworld.com - 03/09/09 - "A co-author of the landmark data-breach notification law that took effect in California six years ago is now looking to add new requirements spelling out what companies have to tell affected individuals about breaches."
Woman Gets 4 Years For 'Skimming' Credit Cards - www.cbs2chicago.com - 03/09/09 - "A Chicago woman was sentenced to four years in prison Monday after pleading guilty to using an electronic skimmer to steal credit card numbers from customers of a west suburban restaurant. Nicole Dixon, 26, of 1639 S. California Ave., pleaded guilty to three counts of identity theft before Judge Carol Kipperman, according to the Cook County State's Attorney's office."
Do Breach Notification Laws Work? Yes - www.informationweek.com - 03/09/09 - "Apparently a good number of consumers who receive letters notifying them that their financial or credit card information has been breached are tossing the notifications without taking action. Does this mean these notices are worthless?"
Rough seas for PCI - www.greensheet.com - 03/09/09 - "The recent security breach at Heartland Payment Systems Inc. triggered another round of soul-searching about the Payment Card Industry (PCI) Data Security Standard (DSS)."
PCI SSC Prioritized Approach for DSS 1.2 Webinar - PCI SSC Council - 03/09/09 - "Join the PCI SSC Council at one of these complimentary Webinar sessions to learn the details of the recently launched PCI SSC Prioritized Approach for DSS 1.2."
Visa backtracks on breach disclosure - www.computerworld.com - 03/09/09 - "Visa and MasterCard have probably been slow to identify the cause of a breach that they warned banks about in mid-February because they want to complete an investigation into the incident, analysts say. However, the lack of candor sparked rampant speculation that a new, major breach had occurred, forcing Visa to later say that the warning referred to an expanded investigation of a previously known incident."
State Breach Law Summary - www.secureretailpayments.com - 03/06/09 - "Summary of state data breach laws put together by the ETA."
Hacker forum shut down by German police Internet crime unit - www.securecomputing.net.au - 03/06/09 - "The www.codesoft.cc forum was being used by hackers to exchange information about malware, spying and the creation of fake credit cards, according to investigators at the Landeskriminalamt police Internet crime unit in the Baden-Württemberg region."
Acculynk Announces Issuer Participation in PIN Debit Pilot Program - www.paymentsnews.com - 03/06/09 - "Acculynk has announced that its Internet PIN debit pilot program is scheduled to go live in early March with several issuers that will bring several million cards to the pilot. The first pilot issuers to participate are from the ACCEL/Exchange EFT network, owned by Fiserv. Acculynk says that a second EFT network will be announced in a few weeks."
State Data Security Legislative Roundup - www.electran.org - 03/06/09 - "State lawmakers around the country are continuing to target data security practices and breach notification issues as annual legislative sessions unfold. The predominant focus for 2009 seems to be on protecting data and preventing misuse of data, but breach notification rules and liability for breaches remain on the agenda in a few states."
Two banks confirms card fraud from Bottle Domains hack - www.thesheet.com - 03/06/09 - "One bank has confirmed fraud on some of the credit-cards whose details were stolen in the theft of up to 60,000 customers records from Bottle Domains. And another has confirmed it is watching a list of card accounts at risk, a list sent to it by the Australian Federal Police."
PCI SECURITY STANDARDS COUNCIL TO HOLD INAUGURAL PCI STANDARDS TRAINING SESSION - biz.yahoo.com - 03/05/09 - "The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PCI PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), today announced the launch of a new training course for merchants. "
Symantec Security Awareness Program Helps Organizations Protect Information - www.msnbc.msn.com - 03/05/09 - "Symantec Corp. (NASDAQ: SYMC) today announced the newest version of the Symantec Security Awareness Program, a comprehensive employee training program designed to help organizations build a more security conscious workforce."
Study: Fraud Could Drive Consumers To Non-Bank Online Payments - www.digitaltransactions.net - 03/05/09 - "Among its many damaging effects, financial fraud threatens the growth of online payments and banking and could drive consumers away from banks and toward electronic payment systems they perceive as more secure, such as PayPal. Those are some of the conclusions in a new report from technology research and consulting firm Gartner Inc. about data breaches and financial crimes."
In cases of ID theft, numbers do lie - www.lasvegassun.com - 03/04/09 - "Nevada has the nation’s third-worst identity theft problem — according to a federal study that wildly underestimates the rates. A Federal Trade Commission report released last week revealed Nevada citizens filed 2,930 identity theft complaints in 2007, enough to rank us third in the nation, per-capita."
Bank customers in Sarasota County warned about skimming device - www.abcactionnews.com - 03/04/09 - "The Bank of America at 1270 Jacaranda Blvd., in Venice has notified the Sheriff's Office that an ATM skimming device had been used at their branch on Monday, February 16th, 2009."
Skimming device used at Venice bank ATM - www.mysuncoast.com - 03/04/09 - "The Bank of America at 1270 Jacaranda Blvd., in Venice has notified the Sheriff's Office that an ATM skimming device had been used at their branch on Monday, February 16th, 2009."
Trustwave 2008 Forensics Update - www.trustwave.com - 03/04/09 - "Trustwave's forensics division, part of the Trustwave SpiderLabs practice, has uncovered a technique used by attackers to steal cardholder data, even if that data isn't written to disk (i.e., stored or saved). While the possibility of the technique has existed for some time, Trustwave investigators had not observed actual use of the technique until now."
Early 2009 Shows Active FTC Data Security Enforcement; No Room For Lax Safeguards - www.metrocorpcounsel.com - 03/04/09 - "Over the last three years, the Federal Trade Commission ("FTC") has settled with fourteen businesses over alleged inadequate data security practices concerning how such businesses protect consumers' personal information. The start of 2009 makes clear that the FTC intends to continue its aggressive enforcement in this area."
PCI DSS 1.2 Prioritized Approach Guidelines - www.pcisecuritystandards.org - 03/03/09 - "The Prioritized Approach provides guidance that will help merchants identify how to reduce risk to card holder data as early on as possible in their compliance journey. The tool groups together the requirements of PCI DSS 1.2 into six key milestones for merchants to consider in their card data security strategy."
PCI DSS 1.2 Prioritized Approach Guidelines - www.pcisecuritystandards.org - 03/03/09 - "The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, 12 requirements structure for securing cardholder data that is stored, processed and/or transmitted by merchants and other organizations."
PCI DSS 1.2 Prioritized Approach Worksheet - www.pcisecuritystandards.org - 03/03/09 - "The PCI DSS 1.2 Prioritized Approach worksheet can be used by retailers as they identify how to reduce risk to card holder data as early on as possible in their efforts to achieving full PCI DSS compliance."
Online card readers will become fraud target - www.computerweekly.com - 03/02/09 - "Bank card scanners used to authenticate online bank users only have a 100% safety record because criminals have softer targets to attack, an academic has warned. Banks should not become complacent, because criminals have the time and resources to find ways of defrauding users of these two-factor authentication devices."
Malton man arrested in massive fraud bust - www.mississauga.com - 03/02/09 - "A Malton man is among 26 people facing fraud-related charges in connection with a debit card forgery ring that reaped "tens of thousands" of dollars. The Durham Regional Police investigation, dubbed Project Off-Guard, concluded last week with tens of thousands of dollars confiscated and forgery equipment dismantled and seized, police said."

February 2009

PCI council offering "milestones" for compliance - www.scmagazineus.com - 02/27/09 - "The organization charged with administering the Payment Card Industry Data Security Standard (PCI DSS) is trying to give merchants a compliance blueprint. The Prioritized Approach Tool offers six "milestones" that businesses should try to reach in their pursuit of compliance, said Lib de Veyra, the newly appointed chairman of the PCI Security Standards Council, which manages the guidelines.."
Cashier charged in credit card scam (Home Depot) - www.chicagobreakingnews.com - 02/27/09 - "A Wheeling man has been charged with stealing credit-card information while working as a cashier at a home-improvement store, authorities said. Siamion Kuzmin, 19, of the 200 block of Woodmere Lane, is charged with eight counts of identity theft, prosecutors said at a hearing today in the Rolling Meadows branch of Cook County Circuit Court. Bail was set at $15,000."
ATM scam in St. Kitts/Nevis - www.computerworld.com - 02/27/09 - "Days after Visa Inc. seemingly confirmed that a data breach had taken place at a third payment processor, following on the recent breach disclosures by Heartland Payment Systems Inc. and RBS WorldPay Inc., the credit card company is now saying that there was no new security incident after all."
ATM scam in St. Kitts/Nevis - www.sun-weekend.com - 02/27/09 - "Information reaching Sun St. Kitts/Nevis suggests one or more commercial banks in Nevis may have been subjected to an ATM scam that has been spreading its tentacles across the region. A reliable source informed the SUN that employees in a local bank were put on warning that 'card skimming activities occurred in St. Lucia, surfaced in Antigua and now it seems here.'"
Security weakness found in online banking card readers - www.computerweekly.com - 02/27/09 - "Researchers at Cambridge University found weaknesses when they reverse engineered card readers from Barclays and NatWest. Bank customers use the card readers in conjunction with a bank card to produce a one-time password. Banks introduced the readers to reduce losses from phishing scams and keylogger attacks."
CyberSource's 10th Annual Online Fraud Report - www.edgellcommunications.com - 02/27/09 - "The industry's most respected online fraud study analyzes benchmark data and practices you can use. This year's study found that online merchants estimate they lose 1.4% of their revenues to fraud or $4 Billion in annual sales. Read about this and over 25 other fraud management benchmarks, trends and practices."
Successful retailers see value in payment security compliance, study finds - www.internetretailer.com - 02/27/09 - "86% of retailers that consulting firm RSR Research considers most successful say meeting payment security standards have at least some value. Meanwhile, 42% of laggards see no value in complying with such policies, a new study from the firm finds. Leading retailers put more stock in payment security than less successful merchants, a new study from RSR Research LLC suggests."
Visa survey reveals many small businesses believe they are too small to attract fraudsters - www.newswire.ca - 02/27/09 - "A survey of Canadian small businesses released today by Visa reveals that 41 per cent of respondents believe that 'data thieves and hackers' are not interested in targeting their businesses because of their size."
PCI Chiefs Defend Standard(s), Plans - securitywatch.eweek.com - 02/26/09 - "It's a gross oversimplification of an utterly staggering technical and social challenge, and he knows it as well as anyone, but it's hard to argue with PCI Security Standards Council General Manager Bob Russo's assertion that when it comes to improving electronic data security and related matters of individual privacy, 'something is much better than nothing.'"
New Visa cards come with hefty price for retailers - www.canadianbusiness.com - 02/25/09 - "Small businesses might not be happy about it, but change is coming to your wallet. New chip-and-PIN credit cards being rolled out by Visa and MasterCard offer consumers another layer of security."
PCI council ranks security risks, milestones - www.networkworld.com - 02/25/09 - "Businesses shouldn't let financial pressures put PCI-security compliance on the back burner, and the PCI Security Standards Council has devised has devised a 12-step program to help merchants get there."
TJX Over-Budgeted Its Data Breach Costs Last Year By $30.5 Million - www.storefrontbacktalk.com - 02/25/09 - "Although $19 billion retail chain TJX is suffering from the economy like all other chains, it recently got a $30.5 million financial windfall. How? By having underestimated how well it would do in court against various lawsuits and probes from the credit card industry’s worst-ever data breach. It impacted more than 100 million consumer cards, and some of the data grabbed came from as early as 2003."
The PCI Fraud Argument Conundrum - www.storefrontbacktalk.com - 02/25/09 - "Why do retailers, service providers and financial institutions strive to achieve and maintain PCI compliance (assuming they do)? Mostly, they do it because it’s mandated by the card brands and their card acquirer. Too often lost in the coercive relationship that drives PCI, however, is the intent of the standards: fraud reduction. A few simple Google searches will confirm that the links between PCI compliance and fraud reduction are largely unexplored and unproven."
Macy’s: POS “Formatting Flaw” Caused Debit Card Snafu - www.storefrontbacktalk.com - 02/25/09 - "Macy’s is now blaming a POS system “formatting flaw” for the holiday payment horror where 8,000 in-store customers’ debit cards were charged multiple times for single transactions. The retailer initially suspected that one of its third-party payment card processors caused the problem."
SEC, FTC Investigating Heartland After Data Theft - www.pcworld.com - 02/25/09 - "Federal agencies, including the U.S. Federal Trade Commission and the U.S. Securities and Exchange Commission, have begun investigating Heartland Payment Systems following a massive data breach at the payment processing company."
PCI And Schrodinger's Cat - www.informationweek.com - 02/25/09 - "The inherent paradox of the Payment Card Industry's compliance program to protect credit card data makes PCI a futile exercise. Let's try something else. PCI compliance is like Schrodinger's Cat. Is an organization compliant with PCI? Until you open the box to find out -- that is, until you assess the organization -- an organization exists in both a compliant and noncompliant state."
CVS Caremark has agreed to settle Federal Trade Commission charges - www.7thspace.com - 02/24/09 - "CVS Caremark has agreed to settle Federal Trade Commission charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law."
Four arrested after police bust alleged credit card fraud ring (Toronto) - www.cp24.com - 02/24/09 - "Toronto police have busted an elaborate debit and credit card fraud ring that gave five alleged suspects a lavish lifestyle - including the chance to open a spa, investigators say. Police say they seized $285,000 worth of property during raids on four properties as part of Project Tuna - three in Yorkville and one on the Danforth."
No Confirmation So Far for Multiple Reports of Another Breach - www.digitaltransactions.net - 02/24/09 - "Reports of yet another merchant-acquirer data breach are speeding around the Internet, but the card networks have not confirmed them publicly. Nor has any processor been identified. Merchant-acquiring sources, however, tell Digital Transaction News that multiple processors may have been breached in recent months."
Visa confirms another payment processor breach - www.securecomputing.net.au - 02/24/09 - "Another payment processor has fallen victim to hackers, Visa confirmed yesterday, though it has yet to emerge which company has been hit. Visa and MasterCard are notifying banks about accounts impacted by a "major compromise," unrelated to the massive Heartland Payment Systems incident announced last month, according to a number of credit unions and banking associations."
Suspects Trick ATMs Into Giving Away $20 Bills - www.newschannel5.com - 02/23/09 - "Police in Columbia think two people robbed an ATM last week. It's part of a high-tech scam that lets thieves fly under the radar while making off with some big bucks."
Hacker sentenced for stealing millions from U.S. cre